0% found this document useful (0 votes)
9 views37 pages

Web Unit 1

The document provides an overview of web applications and their security, detailing their benefits, drawbacks, and how they differ from cloud applications. It discusses common security threats, vulnerabilities, and measures to protect web applications, including input validation and attack surface reduction. Additionally, it emphasizes the importance of classifying and prioritizing security threats to enhance protection strategies.

Uploaded by

Karthik Vijay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
9 views37 pages

Web Unit 1

The document provides an overview of web applications and their security, detailing their benefits, drawbacks, and how they differ from cloud applications. It discusses common security threats, vulnerabilities, and measures to protect web applications, including input validation and attack surface reduction. Additionally, it emphasizes the importance of classifying and prioritizing security threats to enhance protection strategies.

Uploaded by

Karthik Vijay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

CSH011-Web Application Security

UNIT-I OVERVIEW OF WEB APPLICATIONS


AND SECURITY
Introduction to web applications - Benefits and Drawbacks
of Web Applications - Web Application Vs Cloud
application. Security Fundamentals: Introduction to web
application security - Input Validation - Attack Surface
Reduction - Rules of Thumb - Classifying and Prioritizing
Security Threads.
1.1 Introduction to web applications
A web-application is an application program that is usually stored
on a remote server, and users can access it through the use of
Software known as web-browser.
Website: A collection of static or dynamic web pages that
present content (text, images, videos) to users. Websites
are primarily informational and focus on displaying data
rather than user interaction.
Example: A blog, news site, or portfolio.

Web Application: An interactive system that allows users


to perform tasks or manipulate data. Web applications
typically require user input and provide dynamic content
based on interactions.
Example: An online banking system, e-commerce
platform, or social media site.
Some common web applications

Workplace collaboration web applications


Workplace collaboration web apps allow team members
to access documents, shared calendars, business instant
messaging services, and other enterprise tools.

Ecommerce web applications


Ecommerce web apps such as Amazon.com enable users
to browse, search, and pay for products online.
Email web applications
Webmail apps are widely used by enterprises and personal
users to access their emails. They often include other
communication tools such as instant messaging and video
meetings.

Online banking web applications


Business and personal users widely use online banking web
apps to access their accounts and other financial products
such as loans and mortgages.
How do web applications work?
User Request: The client (browser) sends an HTTP request
(e.g., searching for a product or submitting a form).

Process Request: The server processes the request, applies


business logic, and interacts with the database if needed.

Database Query: The server fetches or stores data in the


database as part of the processing.
Prepare Response: After processing, the server
prepares the response, which could be HTML,
JSON, or other content.

Server Response: The server sends the response


back to the client via HTTP.

Render and Update UI: The client receives the


response and updates the UI, displaying the
requested information to the user.
1.2 Benefits and Drawbacks of Web Applications
Benefits of Web Applications:
• Cross-Platform Access: Works on any device with a
browser.
• No Installation: Accessible without downloads.
• Automatic Updates: Always up-to-date.
• Global Accessibility: Reachable from anywhere with
internet.
• Cost-Effective: One app for all platforms.
• Easy Integration: Connects easily with other web
services.
• Scalable: Grows with user demand.
• Centralized Data: Simplified data management.
Drawbacks of Web Applications:
• Internet Dependent: Needs internet to function.
• Performance Limitations: Slower than native apps
for heavy tasks.
• Security Risks: Vulnerable to online attacks.
• Browser Compatibility: Behavior varies by browser.
• Limited Offline Use: Mostly unusable offline.
• Privacy Concerns: Data stored remotely.
• Complex Testing: Needs testing across multiple
devices and browsers.
• Latency Issues: Possible delays due to server
location.
1.3 Web Application Vs Cloud application

A web application is software that runs on a web server


and is accessed through a web browser.

It primarily delivers content or services via the internet and


is typically dependent on an internet connection for
functionality.

Web applications do not require downloading or


installation, making them accessible across various devices.
Client (Browser) → Internet → Web Server
(Hosting Web Application) → Database Server.

The browser sends requests to the web server,


which processes them and returns data from the
database.

The application is entirely dependent on the web


server and typically functions online only.
Example: Google Search

Google Search is a web application accessed


through a browser. It allows users to enter search
queries and displays results sourced from
Google's web servers. It requires an internet
connection and runs entirely within the browser.
A cloud application is software that uses cloud
infrastructure (such as remote servers for
processing, storage, and data management) to
deliver services.

While it may be accessed through a browser like


web apps, cloud applications often offer more
complex functionality, including offline features
and dynamic scaling based on demand.
Client (Browser/App) → Internet → Cloud Service
(e.g., AWS, Azure) → Multiple Servers (Compute,
Storage, Database).

The application interacts with cloud services, which


dynamically scale resources like storage and
computing power based on demand.

Cloud applications can sync data and work offline


when reconnected.
Example: Google Drive

Google Drive is a cloud application that provides


file storage, synchronization, and collaboration
services.

It uses cloud infrastructure to store files and data,


allows users to access their files from any device,
and provides offline access by syncing data when
the device reconnects to the internet.
1.4 Introduction to web application security

Web Application Security is the practice of protecting


web applications from threats and vulnerabilities to ensure
the confidentiality, integrity, and availability of data and
services.
1. Threats:

Cyber Attacks Example: A Distributed Denial of


Service (DDoS) attack targets a web application by
overwhelming it with traffic, making it unavailable
to users.

MalwareExample: An attacker might inject a


malicious script into a web application that steals
user credentials when users log in.
2. Common Vulnerabilities:

Cross-Site Scripting (XSS) Example: An attacker


inserts malicious JavaScript into a comment field
on a blog, which executes when other users view
the comment.

SQL Injection (SQLi) Example: An attacker


inputs a malicious SQL query into a login form,
allowing unauthorized access to the database and
sensitive user information.
Cross-Site Request Forgery (CSRF) Example:
An attacker tricks a logged-in user into submitting
a form that changes account settings on a web
application without the user’s consent.

Insecure Direct Object References (IDOR)


Example: An attacker manipulates a URL to
access other users' account details by changing a
parameter in the request.
Security Measures:

Authentication: Verifying user identity through


methods like passwords, multi-factor
authentication, and biometrics.

Authorization: Ensuring users have the right


permissions to access resources.

Data Encryption: Protecting data in transit and at


rest using encryption to prevent unauthorized
access.
Secure Coding Practices: Writing code that is
resistant to attacks, including input validation and
proper error handling.

Regular Security Audits: Periodically reviewing


and testing the application for vulnerabilities.
1.5 Input Validation
Input Validation in web application security refers
to the process of verifying and sanitizing user
input to ensure it is safe and meets the expected
format before processing it.

1. Type Checking: Ensuring that the input data


type matches the expected type (e.g., numeric,
text).

Example: Validating that a user’s age input is a


numeric value rather than text.
2. Length Validation: Checking that the input
length is within acceptable bounds to prevent
buffer overflow and other issues.
Example: Limiting a username to a maximum of
20 characters.

3. Format Validation: Ensuring the input


matches a predefined format or pattern (e.g., email
addresses, phone numbers).
Example: Using regular expressions to validate
that an email address is in the correct format.
4. Range Validation: Checking that numeric inputs fall
within a specified range to prevent invalid or harmful data.
Example: Ensuring that a user’s age is between 0 and 120.

5. Sanitization: Cleaning input to remove potentially


harmful characters or data.
Example: Escaping special characters in SQL queries to
prevent SQL injection.

6. Whitelist Validation: Allowing only predefined, safe


values or formats while rejecting all others.
Example: Allowing only specific file types for uploads
(e.g., .jpg, .png).
Input Validation Importance:

Prevents Attacks: Helps protect against attacks


like SQL injection, cross-site scripting (XSS), and
command injection.

Enhances Data Integrity: Ensures that data


entered into the system is valid and reliable.

Improves Application Reliability: Reduces the


risk of application crashes or unexpected behavior
due to invalid input.
1.6 Attack Surface Reduction

Attack Surface Reduction (ASR) is the process of


minimizing the number of entry points or
vulnerabilities in a system to reduce the
opportunities for exploitation and unauthorized
access.
Limit Exposure: Only expose necessary features and
endpoints. Disable or remove unused components.

Validate Inputs: Always validate and sanitize user inputs


to prevent injection attacks.

Apply Least Privilege: Ensure users and services have the


minimum permissions necessary for their tasks.

Use Strong Authentication: Implement robust


authentication mechanisms, including multi-factor
authentication (MFA).

Secure Configuration: Harden system configurations and


use secure default settings.
Regular Updates: Keep software and libraries up to date
with the latest security patches.

Use Security Headers: Implement security headers like


Content Security Policy (CSP) and Strict-Transport-
Security (HSTS).

Monitor and Log: Continuously monitor and log


activities for suspicious behavior and potential threats.

Conduct Security Testing: Regularly perform


penetration testing and security assessments to identify
and fix vulnerabilities.
attack surface can indeed be split into two main
categories:
Digital Attack Surface: The set of all digital entry points
and vulnerabilities in a system, including interfaces, data,
code, configuration, and network.
Eg: An exposed API endpoint that allows unauthorized
access to sensitive data if not properly secured.

Physical Attack Surface: The physical elements and


access points of a system, including hardware, facilities,
peripheral devices, and physical access controls.
Eg: Unauthorized physical access to a data center where
servers storing sensitive information are located.
1.7 Rules of Thumb

• Use HTTPS: Encrypt all data in transit with HTTPS.


• Sanitize Inputs: Validate and clean all user inputs to
prevent attacks.
• Least Privilege: Give users only the access they need.
• Strong Authentication: Use MFA to secure user
accounts.
• Update and Patch: Keep software and dependencies up
to date.
• Secure Sessions: Use secure tokens and enforce session
timeouts.
• Encrypt Data: Encrypt sensitive data at rest and in
transit.
• Rate Limiting: Limit request rates to prevent abuse.
• Security Testing: Regularly test for vulnerabilities.
• Log and Monitor: Track and respond to suspicious
activities.
• Secure Defaults: Start with secure settings by
default.
• Educate and Train: Teach security best practices to
everyone involved.
1.8 Classifying and Prioritizing Security Threads.
Classification of Security Threats

1. By Source:

• Internal Threats: These originate within the


organization, such as insider threats, disgruntled
employees, or unintentional mistakes by staff.

• External Threats: These come from outside the


organization, such as hackers, cybercriminals, or
nation-state actors.
2. By Type:
• Malware: Viruses, worms, Trojans, ransomware, etc.
• Phishing: Attempts to steal sensitive information
through deceptive emails or websites.
• Denial of Service (DoS): Attacks that disrupt services
by overwhelming them with traffic.
• Man-in-the-Middle (MitM): Attacks where the attacker
intercepts and potentially alters the communication
between two parties.
• Insider Threats: Employees or contractors who misuse
their access to cause harm.
3. By Impact:
• Confidentiality Breach: Unauthorized access to
sensitive information.
• Integrity Breach: Unauthorized alteration of data.
• Availability Disruption: Denial of access to
information or services.
• Financial Impact: Threats that could lead to
financial losses.
• Reputational Damage: Threats that could harm the
organization's reputation.
Prioritize Security Threats
1. Risk Assessment:
• Likelihood: Estimate how likely the threat is to occur.
• Impact: Assess potential damage if the threat happens.
• Risk Score: Combine likelihood and impact to rank threats.

2. Mitigation Strategies
• Preventive Measures: Use firewalls, encryption, and access
controls.
• Detective Measures: Implement monitoring tools and conduct
regular audits.
• Corrective Measures: Prepare incident response plans and
backups.
• Training and Awareness: Educate employees on security best
practices.
3. Continuous Monitoring and Review:

• Regular Updates: Continuously monitor and update


threat classifications and priorities.

• Post-Incident Analysis: Learn from incidents to


improve defenses.

• Feedback Loop: Refine the process based on lessons


learned.

You might also like