Topic for the class: The Evolution of Web Applications

Unit I : Web Application (In)security

Dr. Bhabendu Kumar Mohanta

Assistant Professor
Department of Computer science Engineering
GITAM Institute of Technology (GIT)
Visakhapatnam – 530045
Email: [email protected]

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 1
 Learning Outcomes
• At the end of this lecture, Students will be able to learn
The Evolution of Web Applications

Department of Computer Science Engineering, GIT 19ECF342:Web Application Security

2022 2
 The Evolution of Web Applications

• Earlier World Wide Web consisted only of web sites.

• These were essentially information repositories containing
static documents.
• The flow of interesting information was one-way
• Most sites did not authenticate users
• Vulnerabilities in web server software
• If an attacker compromised a web server
– gain access to any sensitive information
– open to public view

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 3
 The Evolution of Web Applications

• Today, the World Wide Web

• highly functional and rely on two-way flow
• They support registration and login, financial transactions,search,
and the authoring of content by users
• Content presented to users is generated dynamically on the fly
• Tailored to each specific user
• significant security threats
• Each application is different and may contain unique vulnerabilities
• To deliver their core functionality, web applications normally
require connectivity to internal computer systems
• Contain highly sensitive data and that can perform powerful
business functions

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 4
 Common Web Application Functions

• Some web application functions that have risen to prominence are

– Shopping (Amazon)
– Social networking (Facebook)
– Banking (Citibank)
– Web search (Google)
– Auctions (eBay)
– Gambling (Betfair)
– Web logs (Blogger)
– Web mail (Gmail)
– Interactive information (Wikipedia)

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 5
 Common Web Application Functions

• Applications that are accessed using a computer browser

increasingly overlap with mobile applications
• They use HTTP-based APIs to communicate with the server
• Web applications have been widely adopted inside organizations to
support key business functions
– HR applications
– Administrative interfaces
– Collaboration software
– Business applications such as enterprise resource planning (ERP)
software
– web applications through services such as Google Apps and
Microsoft Offi ce Live

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 6
 Benefits of Web Applications

• HTTP, is lightweight and connectionless

• HTTP can also be proxied and tunneled over other protocols,
allowing for secure communication
• Every web user already has a browser installed
• Web applications deploy their user interface dynamically to the
browser
• separate client software is not required
• Today’s browsers are highly functional, enabling rich and satisfying
user interfaces to be built
• Client-side scripting enables applications to push part of their
processing to the client side
• Capabilities can be extended by using browser extension
technologies
Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security
17 December 2020 7
 Web Application Security

• Web applications have brought a new range of security

vulnerabilities
• Most serious attacks against web applications are those that expose
sensitive data or gain unrestricted access to the back-end systems
• High-profile compromises of this kind continue to occur frequently
• For many organizations, however, any attack that causes system
downtime is a critical event
• Application-level denial-of-service attacks can be used to achieve
the same results

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 8
 Web Application Security

• There is a widespread awareness that security is an issue for web

applications.
• Most applications state that they are secure because they use SSL.
For example:
– "This site is absolutely secure. It has been designed to use 128-
bit Secure Socket Layer (SSL) technology to prevent
unauthorized users from viewing any of your information. You
may use this site with peace of mind that your data is safe with
us"

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 9
 Web Application Security

• organizations also cite their compliance with Payment Card Industry

(PCI) standards to reassure users that they are secure. For example:
– " We take security very seriously. Our web site is scanned daily
to ensure that we remain PCI compliant and safe from hackers.
You can see the date of the latest scan on the logo below, and
you are guaranteed that our web site is safe to use. "

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 10
 Web Application Security

• Common categories of vulnerability:

– Broken authentication
– Broken access controls
– SQL injection
– Cross-site scripting
– Information leakage
– Cross-site request forgery

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 11
 Web Application Security

• Broken authentication (62%) — This category of vulnerability

encompasses various defects within the application’s login
mechanism, which may enable an attacker to guess weak
passwords, launch a brute-force attack, or bypass the login.

• Broken access controls (71%) — This involves cases where the

application fails to properly protect access to its data and
functionality, potentially enabling an attacker to view other
users’ sensitive data held on the server or carry out privileged
actions.
Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security
2022 12
 Web Application Security

• SQL injection (32%) — This vulnerability enables an attacker to

submit crafted input to interfere with the application’s
interaction with back-end databases. An attacker may be able
to retrieve arbitrary data from the application, interfere with
its logic, or execute commands on the database server itself.

• Cross-site scripting (94%) — This vulnerability enables an

attacker to target other users of the application, potentially
gaining access to their data, performing unauthorized actions
on their behalf, or carrying out other attacks against them.
Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security
2022 13
 Web Application Security
• Information leakage (78%) — This involves cases where an application
divulges sensitive information that is of use to an attacker in developing
an assault against the application, through defective error handling or
other behavior.

• Cross-site request forgery (92%) — This fl aw means that application

users can be induced to perform unintended actions on the application
within their user context and privilege level. The vulnerability allows a
malicious web site visited by the victim user to interact with the
application to perform actions that the user did not intend.

Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security

2022 14
 Web Application Security

• SSL is an excellent technology that protects the confidentiality and integrity of data
in transit between the user’s browser and the web server
• It helps defend against eavesdroppers, and it can provide assurance to the
user of the identity of the web server he is dealing with.
• But it does not stop attacks that directly target the server or client
components of an application, as most successful attacks do.
• Specifically, it does not prevent any of the vulnerabilities just listed, or many
others that can render an application critically exposed to attack.
• Regardless of whether they use SSL, most web applications still contain
security flaws.

2022 Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security 15
 THANK YOU

2022 Department of Computer Science Engineering, GIT 19ECF342 :Web Application Security 16