Security Considerations for Web

Applications

Presented by:
Name: JATHIN NADELLA
Roll no: 206124015
Introduction
In today's world, web applications have become an essential part of our daily
lives. From online shopping to social networking, we use web applications for a
variety of purposes. However, with the increasing dependence on web
applications, the risk of cyber attacks has also grown. Cybercriminals are always
looking for vulnerabilities in web applications that they can exploit to steal
sensitive information, disrupt services, or cause financial harm. Therefore, it is
essential to ensure that web applications are designed, developed and
maintained with security in mind.
Overview
• Definition of Web Application Security
• Why is Web Application Security Important?
• Common Threats to Web Applications
• Best Practices for Web Application Security
Web Application Security
• Web application security is the practice of protecting web applications from
cyber attacks, data breaches, and other security threats.
• The goal of web application security is to prevent unauthorized access to
sensitive data, protect user privacy, and ensure the availability and integrity of
web applications.
Why is Web Application Security Important?
• Web applications are a popular target for cybercriminals.
• Web application vulnerabilities can result in data breaches, loss of sensitive
information, and financial damages.
• Web application security is crucial for maintaining user trust, meeting
compliance requirements, and avoiding legal and regulatory penalties.
Here are some alarming stats about web
security
1.According to a study by IBM, the average cost of a data breach in 2020 was $3.86
million.
2.According to a report by Norton, in 2020, there were 5,258 publicly disclosed data
breaches, which exposed 7.9 billion records.
3.A study by Google found that there has been a 50% increase in the number of hacked
websites in 2020 compared to 2019.
4.According to a report by Akamai, there were 193 million web application attacks in
2020, which is a 20% increase from 2019.
5.A study by Imperva found that the average website experiences 58 attacks per day.
6.A report by Verizon found that 80% of data breaches are caused by weak or stolen
passwords.
7.According to a study by Cybersecurity Ventures, cybercrime will cost the world $6
trillion annually by 2021, which is up from $3 trillion in 2015.
SQL Injection
• SQL Injection is a common web application attack that enables attackers to
execute malicious SQL commands on a web application's database.
• SQL Injection can lead to data theft, data corruption, and other security
vulnerabilities.
• Best practices for preventing SQL Injection include using parameterized
queries, validating user input, and sanitizing input data.
 SQL injection example

Consider a shopping application that displays products in different categories.

When the user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make a SQL query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1

The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means that the rest of
the query is interpreted as a comment. This effectively removes the remainder of the query, so it no longer includes
AND released = 1. This means that all products are displayed, including unreleased products.
Cross-Site Scripting (XSS)
• Cross-site scripting works by manipulating a vulnerable web site so that it returns
malicious JavaScript to users. When the malicious code executes inside a victim's
browser, the attacker can fully compromise their interaction with the application.
• Cross-Site Scripting (XSS) is a type of web application attack that allows
attackers to inject malicious scripts into a web application's HTML pages.
• XSS attacks can lead to data theft, session hijacking, and other security
vulnerabilities.
• Best practices for preventing XSS attacks include sanitizing user input, validating
input data, and using Content Security Policy (CSP).
Cont…
Cross-Site Request Forgery (CSRF)
• Cross-Site Request Forgery (CSRF) is a type of web application attack that
allows attackers to trick users into performing actions on a web application
without their consent.
• CSRF attacks can lead to unauthorized transactions, data theft, and other
security vulnerabilities.
• Best practices for preventing CSRF attacks include using anti-CSRF tokens,
validating user input, and using secure cookies.
Broken Authentication and Session
Management
• Broken Authentication and Session Management vulnerabilities can allow
attackers to steal user credentials, impersonate users, and access sensitive
data.
• Best practices for preventing Broken Authentication and Session Management
vulnerabilities include using strong passwords, using multi-factor
authentication, and using secure session management techniques.
Insecure Direct Object References
• Insecure Direct Object References occur when a web application exposes
sensitive data or functionality without proper authorization checks.
• Insecure Direct Object References can lead to data theft, data corruption, and
other security vulnerabilities.
• Best practices for preventing Insecure Direct Object References include using
access controls, using encryption, and validating user input.
Security Misconfiguration
• Security Misconfiguration vulnerabilities occur when a web application is not
properly configured, leaving it open to attacks.
• Security Misconfiguration can lead to data breaches, data corruption, and
other security vulnerabilities.
• Best practices for preventing Security Misconfiguration include using secure
defaults, removing unused services and components, and regularly patching
and updating software.
Insufficient Logging and Monitoring
• Insufficient Logging and Monitoring can make it difficult for organizations to
detect and respond to security incidents.
• Insufficient Logging and Monitoring can lead to data breaches, unauthorized
access, and other security vulnerabilities.
• Best practices for preventing Insufficient Logging and Monitoring
vulnerabilities include implementing a comprehensive logging and monitoring
strategy, using intrusion detection and prevention systems, and regularly
reviewing logs.
Best Practices for Web Application Security
• Use strong authentication and access controls.
• Use encryption to protect sensitive data in transit and at rest.
• Use secure coding practices and regularly test code for vulnerabilities.
• Implement a comprehensive security testing program.
• Regularly update software and firmware.
• Implement a comprehensive logging and monitoring strategy.
Tools and Techniques for Web Application
Security
• Web Application Firewalls (WAFs)
• Penetration Testing
• Vulnerability Scanning
• Code Review
• Threat Modeling
Conclusion
• Web Application Security is critical for protecting sensitive data, maintaining
user trust, and avoiding legal and regulatory penalties.
• Organizations must take a proactive approach to web application security by
implementing best practices, using tools and techniques for security testing,
and regularly updating software and firmware.
• By following these guidelines, organizations can minimize the risk of security
breaches and maintain a secure and reliable web application environment.