CSH011-Web Application Security

UNIT-I OVERVIEW OF WEB APPLICATIONS

AND SECURITY
Introduction to web applications - Benefits and Drawbacks
of Web Applications - Web Application Vs Cloud
application. Security Fundamentals: Introduction to web
application security - Input Validation - Attack Surface
Reduction - Rules of Thumb - Classifying and Prioritizing
Security Threads.
1.1 Introduction to web applications
A web-application is an application program that is usually stored
on a remote server, and users can access it through the use of
Software known as web-browser.
Website: A collection of static or dynamic web pages that
present content (text, images, videos) to users. Websites
are primarily informational and focus on displaying data
rather than user interaction.
Example: A blog, news site, or portfolio.

Web Application: An interactive system that allows users

to perform tasks or manipulate data. Web applications
typically require user input and provide dynamic content
based on interactions.
Example: An online banking system, e-commerce
platform, or social media site.
Some common web applications

Workplace collaboration web applications

Workplace collaboration web apps allow team members
to access documents, shared calendars, business instant
messaging services, and other enterprise tools.

Ecommerce web applications

Ecommerce web apps such as Amazon.com enable users
to browse, search, and pay for products online.
Email web applications
Webmail apps are widely used by enterprises and personal
users to access their emails. They often include other
communication tools such as instant messaging and video
meetings.

Online banking web applications

Business and personal users widely use online banking web
apps to access their accounts and other financial products
such as loans and mortgages.
How do web applications work?
User Request: The client (browser) sends an HTTP request
(e.g., searching for a product or submitting a form).

Process Request: The server processes the request, applies

business logic, and interacts with the database if needed.

Database Query: The server fetches or stores data in the

database as part of the processing.
Prepare Response: After processing, the server
prepares the response, which could be HTML,
JSON, or other content.

Server Response: The server sends the response

back to the client via HTTP.

Render and Update UI: The client receives the

response and updates the UI, displaying the
requested information to the user.
1.2 Benefits and Drawbacks of Web Applications
Benefits of Web Applications:
• Cross-Platform Access: Works on any device with a
browser.
• No Installation: Accessible without downloads.
• Automatic Updates: Always up-to-date.
• Global Accessibility: Reachable from anywhere with
internet.
• Cost-Effective: One app for all platforms.
• Easy Integration: Connects easily with other web
services.
• Scalable: Grows with user demand.
• Centralized Data: Simplified data management.
Drawbacks of Web Applications:
• Internet Dependent: Needs internet to function.
• Performance Limitations: Slower than native apps
for heavy tasks.
• Security Risks: Vulnerable to online attacks.
• Browser Compatibility: Behavior varies by browser.
• Limited Offline Use: Mostly unusable offline.
• Privacy Concerns: Data stored remotely.
• Complex Testing: Needs testing across multiple
devices and browsers.
• Latency Issues: Possible delays due to server
location.
1.3 Web Application Vs Cloud application

A web application is software that runs on a web server

and is accessed through a web browser.

It primarily delivers content or services via the internet and

is typically dependent on an internet connection for
functionality.

Web applications do not require downloading or

installation, making them accessible across various devices.
Client (Browser) → Internet → Web Server
(Hosting Web Application) → Database Server.

The browser sends requests to the web server,

which processes them and returns data from the
database.

The application is entirely dependent on the web

server and typically functions online only.
Example: Google Search

Google Search is a web application accessed

through a browser. It allows users to enter search
queries and displays results sourced from
Google's web servers. It requires an internet
connection and runs entirely within the browser.
A cloud application is software that uses cloud
infrastructure (such as remote servers for
processing, storage, and data management) to
deliver services.

While it may be accessed through a browser like

web apps, cloud applications often offer more
complex functionality, including offline features
and dynamic scaling based on demand.
Client (Browser/App) → Internet → Cloud Service
(e.g., AWS, Azure) → Multiple Servers (Compute,
Storage, Database).

The application interacts with cloud services, which

dynamically scale resources like storage and
computing power based on demand.

Cloud applications can sync data and work offline

when reconnected.
Example: Google Drive

Google Drive is a cloud application that provides

file storage, synchronization, and collaboration
services.

It uses cloud infrastructure to store files and data,

allows users to access their files from any device,
and provides offline access by syncing data when
the device reconnects to the internet.
1.4 Introduction to web application security

Web Application Security is the practice of protecting

web applications from threats and vulnerabilities to ensure
the confidentiality, integrity, and availability of data and
services.
1. Threats:

Cyber Attacks Example: A Distributed Denial of

Service (DDoS) attack targets a web application by
overwhelming it with traffic, making it unavailable
to users.

MalwareExample: An attacker might inject a

malicious script into a web application that steals
user credentials when users log in.
2. Common Vulnerabilities:

Cross-Site Scripting (XSS) Example: An attacker

inserts malicious JavaScript into a comment field
on a blog, which executes when other users view
the comment.

SQL Injection (SQLi) Example: An attacker

inputs a malicious SQL query into a login form,
allowing unauthorized access to the database and
sensitive user information.
Cross-Site Request Forgery (CSRF) Example:
An attacker tricks a logged-in user into submitting
a form that changes account settings on a web
application without the user’s consent.

Insecure Direct Object References (IDOR)

Example: An attacker manipulates a URL to
access other users' account details by changing a
parameter in the request.
Security Measures:

Authentication: Verifying user identity through

methods like passwords, multi-factor
authentication, and biometrics.

Authorization: Ensuring users have the right

permissions to access resources.

Data Encryption: Protecting data in transit and at

rest using encryption to prevent unauthorized
access.
Secure Coding Practices: Writing code that is
resistant to attacks, including input validation and
proper error handling.

Regular Security Audits: Periodically reviewing

and testing the application for vulnerabilities.
1.5 Input Validation
Input Validation in web application security refers
to the process of verifying and sanitizing user
input to ensure it is safe and meets the expected
format before processing it.

1. Type Checking: Ensuring that the input data

type matches the expected type (e.g., numeric,
text).

Example: Validating that a user’s age input is a

numeric value rather than text.
2. Length Validation: Checking that the input
length is within acceptable bounds to prevent
buffer overflow and other issues.
Example: Limiting a username to a maximum of
20 characters.

3. Format Validation: Ensuring the input

matches a predefined format or pattern (e.g., email
addresses, phone numbers).
Example: Using regular expressions to validate
that an email address is in the correct format.
4. Range Validation: Checking that numeric inputs fall
within a specified range to prevent invalid or harmful data.
Example: Ensuring that a user’s age is between 0 and 120.

5. Sanitization: Cleaning input to remove potentially

harmful characters or data.
Example: Escaping special characters in SQL queries to
prevent SQL injection.

6. Whitelist Validation: Allowing only predefined, safe

values or formats while rejecting all others.
Example: Allowing only specific file types for uploads
(e.g., .jpg, .png).
Input Validation Importance:

Prevents Attacks: Helps protect against attacks

like SQL injection, cross-site scripting (XSS), and
command injection.

Enhances Data Integrity: Ensures that data

entered into the system is valid and reliable.

Improves Application Reliability: Reduces the

risk of application crashes or unexpected behavior
due to invalid input.
1.6 Attack Surface Reduction

Attack Surface Reduction (ASR) is the process of

minimizing the number of entry points or
vulnerabilities in a system to reduce the
opportunities for exploitation and unauthorized
access.
Limit Exposure: Only expose necessary features and
endpoints. Disable or remove unused components.

Validate Inputs: Always validate and sanitize user inputs

to prevent injection attacks.

Apply Least Privilege: Ensure users and services have the

minimum permissions necessary for their tasks.

Use Strong Authentication: Implement robust

authentication mechanisms, including multi-factor
authentication (MFA).

Secure Configuration: Harden system configurations and

use secure default settings.
Regular Updates: Keep software and libraries up to date
with the latest security patches.

Use Security Headers: Implement security headers like

Content Security Policy (CSP) and Strict-Transport-
Security (HSTS).

Monitor and Log: Continuously monitor and log

activities for suspicious behavior and potential threats.

Conduct Security Testing: Regularly perform

penetration testing and security assessments to identify
and fix vulnerabilities.
attack surface can indeed be split into two main
categories:
Digital Attack Surface: The set of all digital entry points
and vulnerabilities in a system, including interfaces, data,
code, configuration, and network.
Eg: An exposed API endpoint that allows unauthorized
access to sensitive data if not properly secured.

Physical Attack Surface: The physical elements and

access points of a system, including hardware, facilities,
peripheral devices, and physical access controls.
Eg: Unauthorized physical access to a data center where
servers storing sensitive information are located.
1.7 Rules of Thumb

• Use HTTPS: Encrypt all data in transit with HTTPS.

• Sanitize Inputs: Validate and clean all user inputs to
prevent attacks.
• Least Privilege: Give users only the access they need.
• Strong Authentication: Use MFA to secure user
accounts.
• Update and Patch: Keep software and dependencies up
to date.
• Secure Sessions: Use secure tokens and enforce session
timeouts.
• Encrypt Data: Encrypt sensitive data at rest and in
transit.
• Rate Limiting: Limit request rates to prevent abuse.
• Security Testing: Regularly test for vulnerabilities.
• Log and Monitor: Track and respond to suspicious
activities.
• Secure Defaults: Start with secure settings by
default.
• Educate and Train: Teach security best practices to
everyone involved.
1.8 Classifying and Prioritizing Security Threads.
Classification of Security Threats

1. By Source:

• Internal Threats: These originate within the

organization, such as insider threats, disgruntled
employees, or unintentional mistakes by staff.

• External Threats: These come from outside the

organization, such as hackers, cybercriminals, or
nation-state actors.
2. By Type:
• Malware: Viruses, worms, Trojans, ransomware, etc.
• Phishing: Attempts to steal sensitive information
through deceptive emails or websites.
• Denial of Service (DoS): Attacks that disrupt services
by overwhelming them with traffic.
• Man-in-the-Middle (MitM): Attacks where the attacker
intercepts and potentially alters the communication
between two parties.
• Insider Threats: Employees or contractors who misuse
their access to cause harm.
3. By Impact:
• Confidentiality Breach: Unauthorized access to
sensitive information.
• Integrity Breach: Unauthorized alteration of data.
• Availability Disruption: Denial of access to
information or services.
• Financial Impact: Threats that could lead to
financial losses.
• Reputational Damage: Threats that could harm the
organization's reputation.
Prioritize Security Threats
1. Risk Assessment:
• Likelihood: Estimate how likely the threat is to occur.
• Impact: Assess potential damage if the threat happens.
• Risk Score: Combine likelihood and impact to rank threats.

2. Mitigation Strategies
• Preventive Measures: Use firewalls, encryption, and access
controls.
• Detective Measures: Implement monitoring tools and conduct
regular audits.
• Corrective Measures: Prepare incident response plans and
backups.
• Training and Awareness: Educate employees on security best
practices.
3. Continuous Monitoring and Review:

• Regular Updates: Continuously monitor and update

threat classifications and priorities.

• Post-Incident Analysis: Learn from incidents to

improve defenses.

• Feedback Loop: Refine the process based on lessons

learned.