WEB SECURITY (Professional Elective – VI)

UNIT - I
The Web Security, The Web Security Problem, Risk Analysis and Best Practices.
Cryptography and the Web: Cryptography and Web Security, Working Cryptographic Systems
and Protocols, Legal Restrictions on Cryptography, Digital Identification.
The Web Security
Web security, also known as cybersecurity for web applications, encompasses a broad set of
practices, technologies, and protocols aimed at protecting websites, web applications, and web
services from cyber threats. These threats include unauthorized access, data breaches, cyber
attacks, and other malicious activities that can compromise the confidentiality, integrity, and
availability of web-based resources. Web security is critical for ensuring safe and secure online
interactions for both users and organizations.
Authentication
This is the first process which provides a way to identify the user by having the user enter
its valid user name and password.

Authorization
Authentication precedes authorization.
After getting access to a system, the user might try to issue commands. The authorization
determines if a user has the authority to issue the commands.
It is a process of giving permission to do something or have some information access.
Confidentiality
• Confidentiality means that only authorized individuals/systems can view sensitive or
classified information. The data being sent over the network should not be accessed
by unauthorized individuals. The attacker may try to capture the data using different
tools available on the Internet and gain access to your information. A primary way to
avoid this is to use encryption techniques to safeguard your data so that even if the
attacker gains access to your data, he/she will not be able to decrypt it. Encryption
standards include AES(Advanced Encryption Standard) and DES (Data Encryption
Standard). Another way to protect your data is through a VPN tunnel. VPN stands for
Virtual Private Network and helps the data to move securely over the network.
Integrity
• The next thing to talk about is integrity. Well, the idea here is to make sure that data has
not been modified. Corruption of data is a failure to maintain data integrity. To check if
our data has been modified or not, we make use of a hash function.
We have two common types: SHA (Secure Hash Algorithm) and MD5(Message Digest
Algorithm 5). Now MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1.
Availability
• This means that the network should be readily available to its users. This applies to
systems and to data. To ensure availability, the network administrator should maintain
hardware, make regular upgrades, have a plan for fail-over, and prevent bottlenecks in
a network. Attacks such as DoS or DDoS may render a network unavailable as the
resources of the network get exhausted.
Importance of Web Security
Web security is paramount in the digital age, playing a crucial role in safeguarding data,
maintaining trust, ensuring business continuity, and complying with legal requirements. Below
are the key reasons why web security is of utmost importance:
• Protecting Sensitive Data
1. Personal Information: Websites often collect and store personal data, such as names,
addresses, social security numbers, and financial information. Protecting this data is essential to
prevent identity theft, fraud, and privacy violations.
2. Business Information: Companies rely on web-based services for business operations,
including proprietary data, trade secrets, and strategic information. A security breach could
result in significant financial losses and competitive disadvantages.
3. Healthcare Data: In the healthcare sector, patient data is highly sensitive and
protected by regulations like HIPAA. Securing this data is crucial to protect patient
privacy and comply with legal standards.
• Maintaining Trust
1. User Confidence: Users need to trust that their data is safe when interacting with
websites. A breach or data leak can severely damage an organization's reputation,
leading to a loss of customer trust and loyalty.
2. Brand Reputation: Companies invest heavily in building their brand reputation.
Security incidents can tarnish a brand’s image, resulting in negative publicity and
long-term reputational damage.
3. Customer Retention: Secure websites are more likely to retain customers. Users prefer
to engage with businesses that demonstrate a commitment to protecting their data and
privacy.
• Ensuring Business Continuity
1. Operational Stability: Security breaches can disrupt business operations, leading to
downtime and loss of productivity. Ensuring robust web security helps maintain
continuous operation and service availability.
2. Financial Impact: The financial repercussions of security incidents can be substantial,
including costs associated with incident response, legal fees, regulatory fines, and loss of
revenue. Effective web security mitigates these risks.
3. Intellectual Property Protection: For many businesses, intellectual property (IP) is
their most valuable asset. Securing web platforms helps protect IP from theft and
unauthorized use.
• Preventing Cyber Attacks
1. Data Breaches: Effective web security measures are essential to prevent data breaches
that can expose sensitive information to malicious actors.
2. Malware and Ransomware: Web security helps protect against malware and
ransomware attacks that can compromise systems, steal data, or demand ransom
payments.
3. Phishing and Social Engineering: Implementing robust web security practices helps
protect users from phishing attacks and social engineering tactics aimed at stealing
credentials or sensitive information.
• Enhancing User Experience
1. Safe Browsing: Ensuring web security provides users with a safe browsing experience,
free from threats such as malicious ads, malware, and phishing sites.
2. Performance and Reliability: Secure websites are often more reliable and perform
better, as they are protected from disruptions caused by cyber attacks.
3. User Privacy: Protecting user data enhances their privacy, making them feel more
secure and comfortable while using web services.
The Web Security Problem:
The web security problem consists of three major parts:
• Securing the web server and the data that is on it. Need to be sure that the server can
continue its operation, the information on the server is not modified without
authorization, and the information is only distributed to those individuals to whom want
it to be distributed.
• Securing information that travels between the web server and the user. Assure that
information the user supplies to the web server (usernames, passwords, financial
information, etc.) cannot be read, modified, or destroyed by others. Many network
technologies are especially susceptible to eavesdropping, because information is
broadcast to every computer that is on the local area network.
• Securing the user’s own computer. Assure users that information, data, or
programs downloaded to their systems will not cause damage—otherwise, they will be
reluctant to use the service. Assure that information downloaded is controlled thereafter,
in accordance with the user’s license agreement and/or copyright.

• Web security encompasses the measures and protocols implemented to protect web
applications, services, and users from cyber threats and vulnerabilities. Understanding
the common security challenges is crucial for developing robust defenses.
Key issues include:
1. Cross-Site Scripting (XSS): XSS attacks occur when malicious scripts are injected into
trusted websites, allowing attackers to execute scripts in another user's browser. This
can lead to unauthorized access to user data, session hijacking, and defacement of
websites.
2. SQL Injection: This vulnerability allows attackers to interfere with the queries that an
application makes to its database. By injecting malicious SQL code, attackers can
access, modify, or delete data within the database. To prevent SQL injection,
developers should use parameterized queries and prepared statements, avoiding the
inclusion of user input directly in SQL statements.
3. Session Hijacking and Poisoning: Session hijacking involves an attacker stealing or
guessing a user's session ID to impersonate them on a web application. Session
poisoning, on the other hand, exploits insufficient input validation where user input is
improperly stored in session variables, leading to unauthorized actions. To safeguard
against these threats, it's essential to implement secure session management practices,
such as regenerating session IDs upon login and validating session data rigorously.
4. Browser Security Vulnerabilities: Web browsers themselves can have security flaws
that attackers exploit. Common vulnerabilities include improper input validation and
inadequate access controls. Users can mitigate risks by keeping browsers up-to-date,
disabling unnecessary plugins, and being cautious about the websites they visit.
5. Phishing and Social Engineering: Attackers often use phishing emails or fake websites
to trick users into divulging sensitive information, such as login credentials or financial
details. Educating users about recognizing phishing attempts and implementing
multi-factor authentication can significantly reduce these risks.

6. Denial-of-Service (DoS) Attacks: DoS attacks aim to overwhelm a web server with
excessive requests, rendering it unavailable to legitimate users. Distributed DoS (DDoS)
attacks amplify this by using multiple compromised systems. Implementing network
security measures, such as firewalls and intrusion detection systems, can help mitigate
these attacks.
Effective web security requires a comprehensive approach that encompasses risk analysis
and the implementation of best practices. Below are key components to consider:
1. Risk Analysis in Web Security:
• Identify Assets: Determine which data, applications, and systems are critical to your
organization.
• Assess Threats and Vulnerabilities: Evaluate potential threats and identify
vulnerabilities within your web applications and infrastructure.
• Evaluate Impact and Likelihood: Analyze the potential impact and likelihood of
different security incidents to prioritize risks effectively.
• Implement Mitigation Strategies: Develop and implement strategies to mitigate
identified risks, such as applying security patches and configuring systems securely.
Web Application Security Best Practices
• Use Web Application Security Software
• Implement Strong Authentication
• Secure Data Encryption
• Use Secure Coding Practices
• Critical Components of a Comprehensive Backup Strategy
• Keeping Tools Up to Date
• Conducting Web Application Security Audits
Cryptography and the Web:
Cryptography and Web Security
Cryptography plays a crucial role in ensuring the security of web systems. It is increasingly
employed to control access to computer systems, sign digital messages, facilitate
anonymous digital money exchanges, and even support secure online voting. Here, we
explore the various roles cryptography plays in modern information systems and its
importance in maintaining web security.
Roles for Cryptography
Security professionals have identified five primary roles that encryption plays in modern
information systems. Each role is associated with a specific keyword to standardize
terminology across the field. These roles are:
1. Authentication
o Definition: Authentication involves verifying the identity of a participant in a web
transaction or the author of an email message.
o Mechanism: Digital signatures are commonly used for this purpose. When a message is
signed digitally, recipients can verify the signer’s identity.
o Application: Digital signatures can complement or replace traditional authentication
methods like passwords and biometrics.
2. Authorization
o Definition: Authorization determines if an individual has the right to engage in a
specific transaction.
o Mechanism: Cryptographic techniques can securely distribute and manage a list of
authorized users, making it nearly impossible to falsify.
o Application: Ensures that only authorized individuals can access sensitive resources or
perform certain actions.
3. Confidentiality
o Definition: Confidentiality involves scrambling information sent over networks or stored on
servers to prevent unauthorized access.
o Mechanism: Encryption is used to protect data from eavesdroppers.
o Distinction: While sometimes referred to as "privacy," confidentiality specifically protects
data content, whereas privacy generally refers to the protection of personal information from
misuse.
4. Integrity
o Definition: Integrity ensures that a message has not been altered during transmission.
o Mechanism: Digital signatures and message digest codes are used to verify message
integrity.
o Application: Ensures that the received message is exactly what was sent, without any
tampering.
5. Nonrepudiation

o Definition: Nonrepudiation prevents the sender of a message from denying their

involvement in the transaction.

o Mechanism: Cryptographic receipts are used to prove that a message was indeed sent
by the claimed sender.

o Challenge: True nonrepudiation is difficult to achieve because it relies on proving the

intent of the user, which cryptographic technology alone cannot guarantee.
Working Cryptographic Systems and Protocols
• These systems fall into two categories. The first category of cryptographic programs
and protocols is used for encryption of offline messages—mostly email.
• The second category of cryptographic protocols is used for confidentiality,
authentication, integrity, and nonrepudiation for online communications.
PGP/OpenPGP
PGP (Pretty Good Privacy)* is a complete working system for the cryptographic
protection of electronic mail and files. OpenPGP is a set of standards (RFC 2440) that
describe the formats for encrypted messages, keys, and digital signatures. PGP offers
confidentiality, integrity, and nonrepudiation.
• PGP was the first widespread public key encryption program. The original version was
written between 1990 and 1992 by Phil Zimmermann and released on the Internet in
June 1991. Later versions were the result of efforts by Zimmermann and programmers
around the world.
• PGP is available in two ways: as a command-line program, which can be run on many
different operating systems, and as an integrated application, which is limited to
running on the Windows and Macintosh platforms.
• The integrated application comes with plug-in modules that allow it to integrate with
popular email packages such as Microsoft Outlook, Outlook Express, Eudora, and
Netscape Communicator. With these plug-ins, the standard email packages can
automatically send and receive PGP-encrypted messages.
S/MIME
• When we send an email with an attachment over the Internet, the attachment is
encoded with a protocol called the Multipurpose Internet Mail Extensions,* or MIME.
The MIME standard codifies the technique by which binary files, such as images or
Microsoft Word documents, can be encoded in a format that can be sent by email.
• Secure/MIME (S/MIME) extends the MIME standard to allow for encrypted email. On
the surface, S/MIME offers similar functionality to PGP; both allow email messages to
be encrypted and digitally signed.
Online Cryptographic Protocols and Systems
Online cryptographic protocols generally require real-time interplay between a client and
a server to work properly. The most popular online protocol is SSL, which is used to
protect information as it is sent between a web browser and a web server.
Cryptographic protocols for online communications
1.SSL
The Secure Sockets Layer* (SSL) is a general-purpose web cryptographic protocol for
securing bidirectional communication channels. SSL is commonly used with TCP/IP.
SSL is the encryption system that is used by web browsers such as Netscape navigator
and Microsoft’s Internet Explorer, but it can be used with any TCP/IP service. SSL
connections are usually initiated with a web browser using a special URL prefix.
For example, the prefix https: is used to indicate an SSL-encrypted HTTP connection,
whereas snews: is used to indicate an SSL-encrypted NNTP connection.
SSL offers confidentiality through the use of:
• User-specified encryption algorithms
• Integrity, through the use of user-specified cryptographic hash functions
• Authentication, through the use of X.509 v3 public key certificates
• Nonrepudiation, through the use of cryptographically signed messages
PCT
The Private Communications Technology (PCT) is a transport layer security protocol
similar to SSL that was developed by Microsoft because of shortcomings in SSL 2.0.
The SSL 2.0 problems were also addressed in SSL 3.0 and, as a result, use of PCT is
decreasing. Nevertheless, Microsoft intends to continue supporting PCT because it is
being used by several large Microsoft customers on their corporate intranets.
SET
The Secure Electronic Transaction* (SET) protocol is an online payment protocol designed
to facilitate the use of credit cards on the Internet.
The fundamental motivation behind SET is to speed transactions while reducing fraud. To
speed transactions, the protocol automates the “buy” process by having the consumer’s
computer automatically provide the consumer’s credit card number and other payment
information, rather than forcing the consumer to type this information into a form in a
web browser.
To reduce fraud, SET was designed so that the merchant would never have access to the
consumer’s actual credit card number. Instead, the merchant would receive an encrypted
credit card number that could only be decrypted by the merchant’s bank.
DNSSEC
The Domain Name Service Security (DNSSEC) standard† is a system designed to bring
security to the Internet’s Domain Name System (DNS). DNSSEC creates a parallel public
key infrastructure built upon the DNS system. Each DNS domain is assigned a public key.
DNSSEC allows for secure updating of information stored in DNS servers, making ideal for
remote administration.
IPsec and IPv6
• IPsec* is a cryptographic protocol designed by the Internet Engineering Task Force to
provide end-to-end confidentiality for packets traveling over the Internet. IPsec works
with IPv4, the standard version of IP used on today’s Internet. IPv6, the “next
generation” IP, includes IPsec.
• IPsec does not provide for integrity, authentication, or nonrepudiation, but leaves
these features to other protocols. Currently, the main use of IPsec seems to be as a
multivendor protocol for creating virtual private networks (VPNs) over the Internet.
• Kerberos
• Kerberos is a network security system developed at MIT and used throughout the
United States. Kerberos is a difficult system to configure and administer. Kerberos
does not use public key technology.‡ Instead, Kerberos is based on symmetric ciphers
and secrets that are shared between the Kerberos server and each individual user.
• Each user has his own password, and the Kerberos server uses this password to
encrypt messages sent to that user so that they cannot be read by anyone else. To
operate a Kerberos system, each site must have a Kerberos server that is physically
secure. The Kerberos server maintains a copy of every user’s password. In the event
that the Kerberos server is compromised, every user’s password must be changed.
Legal Restrictions on Cryptography
• The legal landscape surrounding cryptography is a complex and ever-evolving domain,
shaped by a myriad of factors including technological advancements, national security
imperatives, and international agreements. Recent years have witnessed divergent
trajectories in cryptographic regulations, with the United States experiencing a
relaxation of restrictions, while other nations have opted to tighten their grip on
cryptographic technologies, reflecting the intricate interplay between security,
innovation, and governance.
Cryptography and the Patent System:
The intersection of cryptography and the patent system encapsulates a nuanced
narrative spanning over three decades, characterized by a blend of reluctant acceptance
and fervent advocacy within the computer industry. At the heart of this convergence lies
the doctrine of equivalence, a foundational principle of patent law that extends its
jurisdiction to encompass software implementations, thereby subjecting cryptographic
algorithms to the realm of intellectual property rights. Consequently, the emergence of
computers capable of executing logic circuits in software paved the way for the
assimilation of computer programs into the fabric of patent law.
The Outlook for Patents:
Despite the crucible of innovation continually yielding new encryption algorithms, a
diverse array of unpatented encryption algorithms has thrived, embodying attributes of
security, efficiency, and widespread adoption. Furthermore, the hegemony of patented
algorithms in cryptographic and e-commerce spheres appears to be on the decline, as the
exigencies of internet commerce render patented algorithms increasingly redundant,
ushering in an era where open-source and unencumbered cryptographic solutions gain
prominence.
Cryptography and Trade Secret Law:
Traditionally, the cloak of secrecy has enshrouded encryption algorithms, with many business leaders
espousing the belief that secrecy serves as a panacea for cryptographic security. However, contemporary
security paradigms challenge this notion, recognizing that secrecy alone does not inherently fortify
cryptographic security. Instead, transparency emerges as a cornerstone of cryptographic innovation,
fostering collaboration, scrutiny, and refinement within the academic and industry domains.
Regulation of Cryptography by International and National Law:
Over the past half-century, a burgeoning consensus has emerged among governments worldwide
regarding the need to regulate cryptographic technology. Rooted in military imperatives stemming from
World War II experiences, regulatory efforts seek to preempt adversaries from gaining a decisive
advantage by intercepting encrypted communications. In the United States, regulatory frameworks
historically governed cryptographic exports, navigating the intricate terrain of national security
exigencies and international relations.
U.S. Regulatory Efforts and History:
The annals of U.S. regulatory history bear witness to the tumultuous journey of cryptographic
export controls, enforced through mechanisms such as the Defense Trade Regulations.
Throughout the 1980s, companies seeking to export cryptographic technologies grappled with
onerous licensing processes, reflecting the delicate balance between technological innovation
and national security imperatives. However, the Clinton Administration's landmark compromise
in 1992 heralded a paradigm shift, ushering in a series of proposals centered on key escrow
mechanisms aimed at reconciling security imperatives with governmental access to plaintext
data.
The Digital Millennium Copyright Act:
The inexorable rise of digital media markets, encompassing diverse forms such as pictures,
e-books, music files, and movies, heralds a new frontier fraught with challenges and
opportunities. While the internet affords unprecedented avenues for the transmission, rental,
sale, and display of digital media, the ease of digital replication poses significant challenges in
combating fraud and theft. The Digital Millennium Copyright Act emerges as a legislative
bulwark against digital piracy, seeking to safeguard the intellectual property rights of content
creators while navigating the complexities of digital distribution and consumption.
International Agreements on Cryptography:
International agreements governing cryptographic technologies trace their origins to
organizations such as COCOM, tasked with overseeing the export of military and dual-use
technologies. The Council of Europe's Recommendation R (95) 13 underscores the
delicate equilibrium between curbing criminal activities facilitated by cryptography and
preserving its legitimate use for privacy and security purposes. As nations navigate the
intricate tapestry of cryptographic governance, international agreements serve as
linchpins in fostering cooperation, standardization, and shared norms across diverse
geopolitical landscapes.
Digital Identification
• Digital identification, in the context of web security, refers to the process of uniquely
verifying and authenticating the identity of users or entities accessing online services
or resources. It involves the use of digital credentials or certificates to establish trust
and ensure the integrity and confidentiality of data exchanged over the internet.
• Digital identification mechanisms typically rely on cryptographic techniques to
generate and manage unique identifiers, such as digital signatures, public/private key
pairs, and digital certificates. These identifiers are used to verify the identity of users
and entities, authenticate their access to online resources, and secure communication
channels against unauthorized access or tampering.
In web security, digital identification plays a critical role in various aspects:
1. User Authentication: Digital identification enables websites and online services to
authenticate users securely, ensuring that only authorized individuals can access
sensitive information or perform privileged actions.
2. Secure Communication: Digital identification facilitates the establishment of secure
communication channels between users and web servers through protocols like HTTPS
(HTTP Secure). This helps prevent eavesdropping, data interception, and tampering
during data transmission.
3. Data Integrity: By digitally signing data and messages, digital identification ensures
their integrity, meaning that any unauthorized modification or tampering can be
detected, thus preserving the trustworthiness of information exchanged over the web.
4. Access Control: Digital identification enables fine-grained access control mechanisms,
allowing websites to enforce user permissions and restrict access to specific resources based on
user roles or privileges.
5. Transaction Security: In e-commerce and online transactions, digital identification is crucial
for verifying the identities of parties involved, securing payment processes, and preventing fraud
or unauthorized transactions.
• Overall, digital identification forms the cornerstone of web security by providing robust
authentication, secure communication, data integrity, access control, and transaction
security, thereby safeguarding user privacy and protecting against various cyber threats.