Web Application Security

Introduction: Web Application

Security
• Web application security refers to the practices and tools
used to protect websites, web applications, and online
services from cyber threats.

• As the internet grows, web applications are increasingly

targeted by malicious actors seeking to exploit
vulnerabilities.
OWASP (Open
Worldwide
Application
Security
Project (OWASP))
Top 10 Security:
1. Key Components in Web Application Security
Common Key Vulnerabilities

 Injection Attacks: It is type of cyberattack where an attacker exploits a vulnerability in an

application to send malicious code into a system. This can allow the attacker to access data, execute
unauthorized commands, or manipulate system’s operations.

 Cross-Site Scripting (XSS): It is type of security vulnerability that can be found in some web
applications. It enable attackers to inject client side scripts into web pages viewed by other users. This
vulnerability may be used to bypass access controls, such as the same origin policy. Attackers inject
malicious scripts into web pages viewed by other users. This can allow the attacker to steal session
cookies, redirect users to malicious websites, or perform actions on behalf of the victim.

 Cross-Site Request Forgery (CSRF): This forces a user to execute unwanted actions on a web
application in which they're authenticated.

 Broken Authentication: When credentials and session management are poorly implemented,
attackers can hijack accounts.

 Insecure Direct Object References (IDOR): Attackers manipulate references to access

unauthorized data.

 Security Misconfiguration: Improper configurations in applications, databases, and servers can

leave systems vulnerable to attacks.
 2. Security Best Practices
 Input Validation: Ensure that all user inputs are properly validated to
prevent injection attacks.
 Use Secure Authentication Mechanisms: Implement strong
password policies, two-factor authentication (2FA), and use secure
methods for storing and transmitting credentials.
 HTTPS/SSL Encryption: Encrypt data in transit using HTTPS to protect
sensitive information from being intercepted.
 Secure Session Management: Use secure cookies and ensure that
session IDs are properly managed and invalidated after logout.
 Access Control: Implement role-based access controls (RBAC) and least
privilege principles to restrict access to sensitive areas.
 Security Headers: Utilize HTTP security headers like Content Security
Policy (CSP), X-Frame-Options, X-XSS-Protection, and others to mitigate
 3. Web Application Security Tools
 Web Application Firewalls (WAF): A WAF helps protect applications
by filtering and monitoring HTTP requests and blocking malicious traffic.
 Static and Dynamic Application Security Testing (SAST/DAST):
These tools analyze application code (SAST) and running applications
(DAST) to identify security vulnerabilities.
 Penetration Testing: Ethical hacking performed to test the security of
an application by simulating real attacks.
 Vulnerability Scanners: Automated tools that scan web applications
for known vulnerabilities.
 4. Security Standards and Frameworks
 OWASP: The Open Worldwide Application Security Project (OWASP) is an
online community that produces freely available articles, methodologies,
documentation, tools, and technologies in the fields of IoT, system software
and web application security.
 ISO/IEC (International Electrotechnical Commission) 27001: A standard
that provides guidelines for establishing an information security
management system (ISMS) that prepares and publishes international
standards for all electrical, electronic and related technologies – collectively
known as "electrotechnology". IEC standards cover a vast range of
technologies from power generation, transmission and distribution to home
appliances and office equipment, semiconductors, fibre optics, batteries,
solar energy, nanotechnology and marine energy as well as many others.
 NIST Cybersecurity Framework: A framework that offers a
comprehensive approach to managing and mitigating cybersecurity risks.
 5. Monitoring and Incident Response

 Logging and Monitoring: Keep logs of user activity and monitor for
suspicious behavior. Detect anomalies early using intrusion detection
systems (IDS).
 Incident Response Plan: Have a plan in place to respond to security
incidents promptly, including steps for containment, eradication, and
recovery.
6. Third-Party Dependencies
 Dependency Scanning: Ensure third-party libraries and dependencies
are up-to-date and free from vulnerabilities by using tools like OWASP
Dependency-Check or Snyk.
 API Security: Protect APIs from threats such as (Distributed DoS) DDoS
attacks, authentication weaknesses, and data exposure.

By applying these principles and using appropriate tools,

organizations can significantly reduce the risk of web application
attacks and ensure the integrity, confidentiality, and availability
of their online systems.
 SQL Injection- Web Application Security
• SQL Injection is a type of cyber attack where an attacker exploits
vulnerabilities in an application's software by inserting or "injecting"
malicious SQL queries into the input fields or parameters of a web
application.

• This technique allows attackers to interfere with the queries an

application makes to its database, potentially gaining unauthorized
access to sensitive data, modifying or deleting data, or even
executing administrative operations on the database.
 How SQL Injection Works
1.User Input: Most web applications accept input from users, such as
search terms or login details. If these inputs are not properly sanitized,
attackers can insert malicious SQL code.

2.Malicious SQL Queries: The attacker manipulates the input field by

including SQL statements that the web application unwittingly executes,
compromising the database.

3.Vulnerable Application: If the application does not properly validate or

escape inputs, it will execute the attacker's SQL commands.
Types of SQL Injection
1.In-Band SQL Injection: The attacker uses the same communication
channel to both launch the attack and retrieve the results.
1. Error-based SQL Injection: Uses error messages from the database to
gather information.
2. Union-based SQL Injection: Retrieves data by extending the results
returned by a query.
2.Blind SQL Injection: The database's responses are hidden from the
attacker, so they infer information by sending payloads and
observing application behavior.
1. Boolean-based Blind SQL Injection: Sends queries to the database and
observes whether the application returns a result or not based on true/false
conditions.
2. Time-based Blind SQL Injection: Injects queries that cause time delays in
responses, giving attackers clues based on response times.
3.Out-of-Band SQL Injection: Rare, but it occurs when the attacker
uses a different communication channel to extract data (e.g., sending
the data via an HTTP request).
Example of a SQL Injection Attack
Prevention Techniques
1.Prepared Statements (Parameterized Queries): Ensure that user
input is treated strictly as data and not executable code.
2.Stored Procedures: Encapsulate SQL code within the database itself
to control input handling.
3.Input Validation and Sanitization: Always validate and sanitize
user inputs to prevent dangerous inputs from reaching the SQL query.
4.Escaping Inputs: Ensure special characters (e.g., quotes,
semicolons) in user inputs are properly escaped.
5.Database Permissions: Limit database access permissions. Ensure
that the database account used by the web application has the least
privileges necessary.
6.Web Application Firewalls (WAF): Use a WAF to filter out
suspicious SQL injection attempts.
Broken Authentication-Exposure
- Web Application Security

Broken Authentication is a common web security vulnerability where an

application's authentication mechanisms are either poorly implemented or
misconfigured, allowing attackers to bypass authentication controls,
impersonate other users, or escalate privileges.
Common Causes of Broken Authentication:
1.Weak Password Policies: Allowing users to set simple or easily
guessable passwords (e.g., "12345").
2.Credential Stuffing: Reusing credentials obtained from previous
data breaches to log into other systems.
3.Session Management Issues: Poor handling of session tokens,
such as not invalidating a session after logout or failing to regenerate
tokens after login.
4.Unprotected API Endpoints: APIs that lack proper authentication
mechanisms, allowing unauthorized access.
5.Brute-Force Attacks: Systems that do not limit the number of failed
login attempts can be vulnerable to brute-force attacks.
6.Exposed Credentials: Storing credentials insecurely, such as in
plaintext or using weak encryption.
7.Improper Multi-factor Authentication (MFA): Not enforcing MFA
or having flawed MFA implementations that can be bypassed.
Preventive Measures
• Strong Password Policies: Enforce password complexity, length, and
regular updates. Avoid common passwords.
• Account Lockout Mechanisms: Implement rate limiting and account
lockouts to defend against brute-force attacks.
• Session Management Best Practices: Regenerate session tokens
after login, and ensure proper session invalidation on logout.
• Multi-Factor Authentication (MFA): Implement and enforce MFA for
sensitive actions or user accounts.
• Secure Password Storage: Hash and salt passwords using strong
algorithms.
• Use of Secure Frameworks: Use well-established authentication
libraries or frameworks instead of building custom ones.
Impact of Exploiting Broken Authentication

Attackers can gain unauthorized access to user accounts,

steal sensitive data, or perform actions on behalf of
legitimate users.

This can result in data breaches, financial loss, and

damage to user trust.
 Sensitive Data Exposure-
Web Application Security
• Sensitive Data Exposure occurs when
applications fail to adequately protect
sensitive information, such as passwords,
credit card numbers, healthcare data, or
personal identifiable information (PII).

• It is another critical issue from the OWASP

list and can lead to severe consequences,
including identity theft, financial fraud, or
regulatory violations.
 Common Causes of Sensitive Data
Exposure
1.Lack of Encryption: Sensitive data is transmitted or stored without
encryption, making it accessible to attackers in the event of a breach.
2.Weak Encryption: Use of outdated or weak encryption algorithms
(e.g., MD5, SHA-1) that can be easily cracked by attackers.
3.Insecure Communication Channels: Data is transmitted over
unsecured channels, such as HTTP instead of HTTPS, allowing attackers
to intercept the data (man-in-the-middle attacks).
4.Exposed Databases: Databases are left unprotected, or security
configurations are mismanaged, allowing unauthorized access to stored
sensitive data.
5.Improper Tokenization or Masking: Failure to mask or tokenize
sensitive information in logs, reports, or front-end displays.
6.Excessive Data Exposure: Applications return more data than
necessary in responses (e.g., returning full account details when only
part of the information is needed).
7.Unprotected Backups: Failure to encrypt or securely store backup
data makes it vulnerable to theft or loss.
Sensitive Data Examples

• Passwords
• Credit card numbers
• Social Security Numbers (SSNs)
• Health records
• Financial records
• Personal Identification Information
(PII) like names, addresses, and
phone numbers
Preventive Measures
1.Encryption:
1. Use strong encryption algorithms (e.g., AES-256) to protect sensitive data both
in transit and at rest.
2. Always enforce HTTPS to encrypt communication over the network.
3. Ensure sensitive data is never transmitted over HTTP or unencrypted channels.
2.Use Strong Hashing Algorithms:
1. Store passwords and sensitive information using strong hashing algorithms (e.g.,
bcrypt, Argon2, PBKDF2) with proper salting to prevent attackers from easily
recovering the data if compromised.
3.Limit Data Exposure:
1. Ensure only the minimum necessary sensitive information is collected, processed,
and returned in API responses or displayed in logs.
2. Implement proper access control so users can only see data they are authorized
to access.
4.Secure Storage:
1. Encrypt databases and sensitive files, including backups.
2. Ensure backup files are stored securely and encrypted to prevent unauthorized
access.
 Preventive Measures
5. Tokenization:
1. Use tokenization to replace sensitive data with a token that can be stored or
transmitted without exposing the actual data.
6. Masking:
2. Mask sensitive data in UI and log files (e.g., display only the last four digits
of a credit card).
7. Secure Key Management:
3. Protect encryption keys using proper key management strategies (e.g.,
hardware security modules (HSMs), proper access control).
8. Compliance:
4. Adhere to regulatory requirements, which often mandate strict handling of
sensitive data.
9. Security Audits and Testing:
5. Regularly perform security audits, code reviews, and vulnerability
assessments to identify and fix potential data exposure risks.
6. Use penetration testing to verify the effectiveness of encryption and secure
communication channels.
 Impact of Sensitive Data Exposure
• Data Breaches: Leaking sensitive information can lead to large-
scale breaches, affecting user privacy and resulting in financial
loss.
• Regulatory Fines: Non-compliance with data protection
regulations like GDPR(General Data Protection Regulation),
HIPAA(Health Insurance Portability and Accountability Act), or PCI-
DSS(Payment Card Industry Data Security Standard) can lead to
substantial fines and legal penalties.
• Identity Theft and Fraud: Exposed data can be used for
identity theft, credit card fraud, or other malicious activities.
• Loss of Trust: Customers lose trust in organizations that fail to
protect their sensitive data, which can hurt the brand’s reputation
and lead to loss of business.
XML External Entities (XXE)-
Web Application Security

• XML External Entities (XXE) is a

vulnerability that arises when an XML
parser processes external entities
incorrectly.
• This vulnerability allows attackers to
manipulate XML data and cause the
server to process malicious inputs.
• XXE attacks can lead to the disclosure
of sensitive data, denial of service
(DoS), server-side request forgery
(SSRF), and, in some cases, remote
code execution.
• XXE is part of the OWASP Top 10
security risks due to its potential for
widespread exploitation.
How XXE Works:
• XML documents may contain a special feature called
"external entities"—a kind of placeholder or reference that
allows data to be loaded from an external resource, such
as a URL or file.

• If an XML parser is not properly configured to block

external entities, an attacker can craft XML data that
references malicious or sensitive files.
Common Types of XXE Attacks:
1.File Disclosure: The attacker can access sensitive
files on the server, such as configuration files, password
files, or other confidential documents.
2.Denial of Service (DoS): By referencing large or
infinite resources (e.g., recursive entities), attackers can
exhaust server resources, causing the system to crash.
3.Server-Side Request Forgery (SSRF): XXE can be
used to make unauthorized HTTP requests from the
server to internal or external services, potentially
accessing restricted systems.
4.Remote Code Execution (RCE): In rare cases,
attackers may find ways to execute arbitrary code on
the server by exploiting XXE vulnerabilities.
 Prevention of XXE
1.Disable External Entity Processing:
1. Ensure that XML parsers are configured to disable DTDs (Document Type
Definitions) and external entities.
2. Use Safer XML Parsers:
Switch to parsers that do not process external entities by default or provide better security against XXE
attacks.
3. Validate Input Data:
If your application accepts XML input, validate it against a schema that does not allow DTDs or external
entities.
4. Use Less Complex Data Formats:
If possible, avoid using XML entirely for user-supplied input. Consider alternative formats like JSON, which
are simpler and less prone to this type of vulnerability.
5. Keep Software Updated:
Ensure that your XML parsers, libraries, and frameworks are regularly updated, as many vulnerabilities
arise from outdated or unpatched software.
6. Perform Security Testing:
1. Regularly perform security testing, including static analysis, dynamic analysis, and fuzz testing, to
identify XXE vulnerabilities.
2. Use automated security scanners that can detect XXE issues during the development process.
 Impact of XXE:
• Data Breaches: Attackers can exfiltrate sensitive server
files, such as password configurations or API keys.
• Server Compromise: If combined with other
vulnerabilities, XXE can escalate into more severe attacks
like SSRF or RCE.
• Loss of Service: In cases of denial-of-service attacks, the
system could crash or become unresponsive.
 Detection

•Manual Code Review: Review the code handling XML

parsing to ensure that external entities are disabled.
•Dynamic Testing: Use penetration testing tools like Burp Suite
or OWASP ZAP to detect and exploit XXE vulnerabilities.
•Automated Scanners: Security tools like Snyk, Veracode,
and Checkmarx can automatically scan your codebase and
alert you to potential XXE vulnerabilities.