Scribd
Upload
2 views12 pages

Introduction to Web Application Security

The document is an introduction to web application security presented by Ayush Bajirao and Piyush Pranav, aimed at engaging participants in discussions about the Internet, World Wide Web, and web applications. It covers fundamental concepts like HTTP, client-server architecture, and the importance of security measures against user input vulnerabilities. The session encourages interactivity and emphasizes the need for understanding both the technical and security aspects of web applications.

Uploaded by

jh149553
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views12 pages

Introduction to Web Application Security

The document is an introduction to web application security presented by Ayush Bajirao and Piyush Pranav, aimed at engaging participants in discussions about the Internet, World Wide Web, and web applications. It covers fundamental concepts like HTTP, client-server architecture, and the importance of security measures against user input vulnerabilities. The session encourages interactivity and emphasizes the need for understanding both the technical and security aspects of web applications.

Uploaded by

jh149553
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Introduction to Web

Application Security
Learn Hack Repeat

By - Ayush Bajirao & Piyush Pranav


Who are we?

We are, Third Year Computer Science Engineering students, very much interested
in the field of Cyber Security.
Rules
● Make this session interactive as I will be asking a lot of questions and be
expecting answers from you guys, no matter if the answer is wrong.
● Write your complete answers somewhere (like notepad) and then paste it on
the chat. Do not spam, or you will be kicked.
● If you wish to answer using audio, send “I wish to answer.” in the chat and
wait till your name is called to turn on your mic.
Internet & The World Wide Web
Wikipedia says:

● The Internet (portmanteau of interconnected network) is the global system of interconnected computer networks
that uses the Internet protocol suite (TCP/IP) to link devices worldwide.
● The World Wide Web (WWW), commonly known as the Web, is an information system where documents and other
web resources are identified by Uniform Resource Locators (URLs, such as https://www.example.com/), which may
be interlinked by hypertext, and are accessible over the Internet.

1. What do you think is the Internet and the World Wide Web?
2. What is the difference between the two?
3. What else would you like to / can you do over the internet?
Websites & Web Applications
Wikipedia says:

● A website (also written as web site) is a collection of web pages and related content that is identified by a common
domain name and published on at least one web server.

● In computing, a web application or web app is a client–server computer program that the client (including the user
interface and client-side logic) runs in a web browser.

1. What is the difference between the two?


2. Does using SSL (encryption) make a site completely secure? Why?
The Very Basics
1. Are static websites vulnerable?

2. How does the internet work? (If we had all the infrastructure in place what would you need next for the
internet to use it?)
HyperText Transfer Protocol Basics
Wikipedia says:

Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents, such as
HTML. It was designed for communication between web browsers and web servers, but it can also be used for other
purposes. HTTP follows a classical client-server model, with a client opening a connection to make a request, then waiting
until it receives a response.

1. What is request and response?

2. What could go wrong and why is security required?


Client Server Architecture
HTTP Requests
GET /auth/488/YourDetails.ashx?uid=129 HTTP/1.1

Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,


application/x-shockwaveflash, */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET
CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; InfoPath.3; .NET4.0E; FDM; .NET CLR 1.1.4322)

Accept-Encoding: gzip, deflate

Host: mdsec.net

Connection: Keep-Alive

Cookie: SessionId=5B70C71F3FD4968935CDB6682E545476
HTTP Responses
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2011 09:23:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET

Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc X-AspNet-Version: 2.0.50727

Cache-Control: no-cache Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1067

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://


www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”><html xmlns=”http:// www.w3.org/1999/xhtml” ><head><title>Your
details</title>

...
The Main Problem Is That Users Can
Submit Arbitrary Input
Defense Mechanisms
1. Handling User Access

2. Handling User Input

3. Handling Attackers

You might also like