Web Application

Prepared by

Shaikh Tariqul Islam

(CEH, MCSA, RHCE, RHCSA)
Cyber Security Specialist, A Bank

jutariqul@gmail.com; 01716652352
What is web application?

A web application is a software application that is accessed and interacted with through a
web browser over a network, typically the internet. Unlike traditional desktop applications
that run on a user's computer, web applications are hosted on servers and can be accessed
through a web browser, making them platform-independent and easily accessible from
various devices.

Web applications use a combination of front-end and back-end technologies to provide a

user interface and process user inputs. The front-end is the part of the application that
users interact with directly, and it is typically built using web technologies such as HTML,
CSS, and JavaScript. The back-end is the server-side of the application responsible for
processing requests, managing databases, and performing other server-side tasks. It is
often built using server-side scripting languages such as PHP, Python, Ruby, or Node.js, and
interacts with databases and other server components.
The Flow of the Web Application
How does a web- application work?
Front-end Interface (Client-side Programming).
The HTML (or Hyper Text Markup Language), CSS( or Cascading Style Sheets), and
JavaScript that are used in creating front-end interface (Client-side programming).
Back-end Interface (Server-side Programming).

To create the web applications script, server-side programming is done by using

programming languages such as Java, Python, PHP, and Ruby, etc. Python and
Java are the languages that are usually used for server-side programming.
Key points about web applications:
Accessibility: Web applications are accessible from any device with a web browser and an internet
connection, providing users with flexibility in terms of platform and location.

Cross-Platform Compatibility: They are designed to work across different operating systems and
devices, ensuring a consistent user experience regardless of the device being used.

Client-Server Architecture: Web applications follow a client-server architecture, where the client
(user's browser) interacts with the server to request and receive data or perform actions.

Front-End Technologies: The front-end of web applications is built using technologies like HTML
(structure), CSS (presentation), and JavaScript (interactivity), which run in the user's browser.

Back-End Technologies: The back-end is responsible for server-side processing and is often built using
server-side scripting languages (e.g., PHP, Python, Ruby) and frameworks, interacting with databases
and other server components.
Statelessness: HTTP, the protocol used for communication in web applications, is stateless. Each
request from the client to the server is independent, and the server does not retain information about
the client between requests. Sessions and cookies are commonly used to manage state.

Database Integration: Web applications often interact with databases to store and retrieve data.
Common database systems include MySQL, PostgreSQL, MongoDB, and others.

Security: Web applications need to address security concerns, such as data encryption, user
authentication, authorization, and protection against common web vulnerabilities like Cross-Site
Scripting (XSS) and Cross-Site Request Forgery (CSRF).

Scalability: Web applications should be designed to handle varying levels of user traffic and data,
requiring scalable architectures and infrastructure to accommodate growth.

Updates and Maintenance: Web applications can be updated centrally on the server, allowing for
easier maintenance and the deployment of new features without requiring updates on individual user
devices.
User Interaction: They often include interactive elements, dynamic content, and user-friendly
interfaces to enhance the user experience.

APIs (Application Programming Interfaces): Web applications may provide APIs to allow
integration with other applications and services, promoting interoperability.

Responsive Design: Many web applications are designed to be responsive, adapting their
layout and functionality based on the screen size and device type to provide a seamless
experience across different devices.
Architecture of Web Application
The three layers of a web application architecture diagram:
• Presentation layer / Client Layer
• Application Layer / Business Logic Layer
• Data Layer
Types of web application
Static Web Applications:
• Consist of static web pages that do not change in response to user interactions.
• Suitable for displaying information that doesn't frequently change, such as company websites or
personal blogs.
Dynamic Web Applications:
• Generate dynamic content based on user interactions or inputs.
• Utilize server-side scripting and databases to provide personalized and real-time information.
• Examples include social media platforms, content management systems (CMS), and e-commerce
websites.
Single Page Applications (SPAs):
• Load a single HTML page and dynamically update the content as the user interacts with the
application.
• Often built using JavaScript frameworks like React, Angular, or Vue.js.
• Provide a seamless and responsive user experience.
E-commerce Applications:
• Facilitate online buying and selling of products or services.
• Include features such as shopping carts, payment gateways, and order processing.
• Examples include Amazon, eBay, and Shopify.
E-commerce Applications:
• Facilitate online buying and selling of products or services.
• Include features such as shopping carts, payment gateways, and order processing.
• Examples include Amazon, eBay, and Shopify.

Content Management Systems (CMS):

• Enable users to create, manage, and modify digital content on a website without requiring technical
expertise.
• Examples include WordPress, Drupal, and Joomla.

Social Media Applications:

• Allow users to connect, share content, and communicate with others online.
• Feature user profiles, timelines, and interactive elements.
• Examples include Facebook, Twitter, and Instagram.

Web Portals:
• Provide a unified gateway to access various services, information, or resources.
• Often used in enterprise environments for employee access to company resources.
• Examples include employee portals, customer portals, and government portals.
Web Application vulnerability

Injection Attacks:
• SQL Injection (SQLi): Attackers inject malicious SQL queries to manipulate a database.
• Cross-Site Scripting (XSS): Malicious scripts are injected into web pages, which can then be executed
by other users' browsers.

Cross-Site Request Forgery (CSRF):

• Malicious websites trick users into performing actions on a different site where they are
authenticated.

Cross-Site Script Inclusion (XSSI):

• Exploits the inclusion of untrusted scripts in web pages, often through insecure third-party content.

Security Misconfigurations:
• Default settings, unnecessary services, or improper configurations that could expose sensitive
information or provide unauthorized access.
Broken Authentication and Session Management:
• Weaknesses in user authentication and session handling, leading to unauthorized access or
account hijacking.

Insecure Direct Object References (IDOR):

• Occurs when an application provides access to objects (files, database records) based on user-
supplied input, leading to unauthorized access.

Security Headers Missing:

• Lack of proper HTTP security headers, such as Content Security Policy (CSP) or Strict-Transport-
Security (HSTS), can expose the application to various attacks.

XML External Entity (XXE) Injection:

• Exploits vulnerabilities in XML parsers, allowing attackers to read sensitive files, execute
remote code, or perform denial-of-service attacks.

Insecure File Uploads:

• Allows malicious files to be uploaded to the server, leading to potential execution of arbitrary
code.
Security Bypass:
• Techniques or flaws that allow attackers to bypass authentication or authorization mechanisms.
Insecure Deserialization:
• Exploits weaknesses in the deserialization process, leading to remote code execution or other security
issues.
Unvalidated Redirects and Forwards:
• Redirects or forwards that are not properly validated, allowing attackers to redirect users to malicious
sites.
Data Exposure and Information Disclosure:
• Inadvertent exposure of sensitive information, such as passwords, through insecure storage or
transmission.
Mass Assignment:
• Occurs when an attacker can manipulate input to modify object properties, potentially gaining
unauthorized access or privileges.
Clickjacking:
• Tricks users into clicking on something different from what they perceive, potentially leading to
unintended actions.
OWASP Top Ten
The Open Web Application Security Project (OWASP) is a non-profit organization founded in
2001, with the goal of helping website owners and security experts protect web
applications from cyber attack. OWASP has 32,000 volunteers around the world who
perform security assessments and research.

• Broken Access Control

• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery
Mitigation of web application vulnerability

Input Validation and Sanitization:

• Validate and sanitize all user inputs to prevent injection attacks (e.g., SQL injection, XSS).
• Use parameterized queries for database access to prevent SQL injection.

Use Parameterized Statements and Prepared Statements:

• Utilize parameterized statements and prepared statements for interacting with
databases to prevent SQL injection.

Cross-Site Scripting (XSS) Protection:

• Implement input validation and output encoding to protect against XSS attacks.
• Use security mechanisms like Content Security Policy (CSP) to control the sources of
executable scripts.
Cross-Site Request Forgery (CSRF) Protection:
•Implement anti-CSRF tokens to validate and authenticate requests.
•Ensure that state-changing requests require user authentication.
Session Management:
• Use secure session management practices, including secure session tokens, session
timeouts, and secure cookie attributes.
• Implement multi-factor authentication to enhance user authentication security.

Security Headers:
• Configure proper security headers, such as Strict-Transport-Security (HSTS), Content-
Security-Policy (CSP), and X-Content-Type-Options, to enhance browser security.

Security Patching and Updates:

• Regularly update and patch the underlying software, frameworks, and libraries to
address known vulnerabilities.
• Monitor security advisories for the technologies used in the application.

Least Privilege Principle:

• Limit user privileges to the minimum necessary for their tasks.
• Apply the principle of least privilege to ensure users and processes only have access to
the resources they need.
Security Misconfigurations:
• Conduct regular security audits to identify and address configuration errors.
• Follow secure coding guidelines and use security checklists for different components.

File Upload Security:

• Validate file types, enforce file size limits, and store uploaded files in a secure location.
• Implement proper access controls on uploaded files.

Security Awareness Training:

• Train developers, administrators, and other stakeholders about secure coding practices
and potential vulnerabilities.
• Foster a security-aware culture within the organization.

Regular Security Testing:

• Perform regular security testing, including penetration testing, code reviews, and
automated scanning tools.
• Use tools like static analysis tools, dynamic analysis tools, and web application firewalls
(WAFs) for additional protection.
Incident Response Plan:
• Develop and maintain an incident response plan to promptly respond to and mitigate
security incidents.
• Regularly conduct drills to ensure the effectiveness of the response plan.

Security Monitoring:
• Implement logging and monitoring to detect and respond to suspicious activities.
• Set up alerts for potential security incidents.

API Security:
• Secure APIs by using proper authentication and authorization mechanisms.
• Validate and sanitize input for API requests to prevent injection attacks.

To mitigate vulnerabilities, developers and administrators should follow secure coding

practices, conduct regular security audits, implement security mechanisms, and stay
informed about the latest security threats and patches. Security testing, including
penetration testing and code reviews, is essential to identify and address potential
vulnerabilities in web applications.
Web Application Security Checklist
Ensure Strong Authentication

Authentication is a fundamental pillar of web application security, as it establishes the identity of users
interacting with your application. Without strong authentication measures, malicious actors can easily
impersonate legitimate users, gaining unauthorized access to your application and its data.

Here’s what to include in your authentication checklist:

• Strong Password Policies: Enforce strong password policies, including complexity requirements and
regular password changes.

• Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security by requiring
users to provide multiple forms of verification.

• Password Storage: Employ robust hashing and salting methods to securely store passwords,
fortifying your defense against potential data breaches.

• Account Lockout Mechanism: Implement an account lockout mechanism to prevent brute force
attacks on user accounts.
Enforce Authorization

Without proper authorization controls, unauthorized access, data breaches, and potentially
malicious activities are risky. By implementing robust authorization, you can ensure that
sensitive data and functionalities are only accessible to authorized users, reducing the attack
surface and enhancing overall security.

To ensure proper authorization, consider the following:

• Role-Based Access Control (RBAC): Implement a role-based access control system that
assigns roles to users and specifies what actions each role is allowed to perform.

• Least Privilege Principle: Users should have the minimum level of access required to
perform their tasks, reducing the risk of unauthorized actions.

• Session Management: Use secure session management to ensure that users are only
authorized during their active sessions.

• Audit Trails: Maintain audit logs to track and review authorization activities, enabling the
detection of suspicious or unauthorized access.
Manage Access Controls

Proper access controls are important for various reasons:

• Data Privacy and Confidentiality: Access controls protect sensitive information and
maintain data privacy by limiting access to authorized individuals only.

• Preventing Unauthorized Modifications: Access controls prevent unauthorized changes to

data or resources, ensuring data integrity.

• Preventing Data Leaks: Unauthorized access can lead to data leaks or data breaches,
which can be costly in terms of financial and reputational damage.

• Efficient Resource Allocation: Proper access controls ensure that resources are allocated
efficiently by restricting access to those who genuinely need it, enhancing performance
and security.
Perform Input Validation

Even a simple name or a photo uploaded can become trouble if not checked properly. It’s like
letting a stranger in without asking who they are. This could lead to your website crashing or
sensitive data being exposed.

Here’s how to ensure proper input validation:

• Whitelisting: Use whitelisting to allow only specific, known inputs and reject all others.

• Blacklisting: Employ blacklisting to block known malicious inputs, such as dangerous

characters or patterns.

• Parameterized Queries: Use parameterized queries to prevent SQL injection attacks by

separating user data from SQL queries.

• Regular Expression Validation: Validate user inputs using regular expressions to ensure
they match the expected format.
Data Security

The next vital component of your web application security checklist is data encryption. It involves
encoding sensitive information to protect it from unauthorized access and maintaining data
confidentiality.

Here’s what to consider for data encryption in your web application:

• Regular Backups: Implement regular backups of your application data and store them securely.

• SSL/TLS: Implement SSL/TLS for secure data transmission, ensuring data is encrypted between the
client and server.

• Encryption at Rest: Use encryption methods to protect sensitive data stored in databases or on the
server.

• Key Management: Properly manage encryption keys and ensure they are stored securely.

• Data Masking: Implement data masking for sensitive information, displaying only the necessary parts
to users.
Perform Continuous Risk Assessment

In 2021, organizations lacking a zero-trust approach incurred an average breach cost of $1.76
million higher than organizations that embraced zero trust as a security strategy.

While apps are not entirely un-hackable, risk assessment and prioritization help you set realistic
goals, policies, and security standards. You need to keep assessing your organization’s risks and
keep them within your tolerance levels.

Your assessments should address the following queries:

• What are the most critical IT assets for your organization?

• Which types of data breaches could significantly impact your business’s success?
• What are the potential threats to your organization and their origins?
• What security vulnerabilities exist, both internally and externally?
• What would be the consequences if your organization’s security weaknesses were exploited?
• How likely is it that a security weakness will be exploited?
• What security threats or cyberattacks could disrupt your organization’s ability to operate?
Application Security:

Secure Coding Practices: Follow secure coding practices to avoid common vulnerabilities like
cross-site scripting (XSS), insecure direct object references (IDOR), and insecure direct file
inclusion (IDFI).

Regular Updates: Keep your application, libraries, and frameworks updated with the latest
security patches.

Error Handling: Implement secure error handling to avoid revealing sensitive information about
your application or server.

Security Testing: Regularly conduct security assessments and penetration testing to identify and
address vulnerabilities.
Security Awareness Training

• Educate your team about security best practices:

• Security Training: Regularly train developers, testers, and other team members on
security topics.
• Phishing Awareness: Educate employees about phishing and social engineering.

Compliance and Regulations

• Stay compliant with relevant regulations.

• Data Protection Laws: Comply with GDPR, CCPA, HIPAA, or other applicable regulations.
• Industry Standards: Follow security standards like OWASP, NIST, or ISO 27001.

Continuous Improvement

• Security is an ongoing process

• Security Culture: Foster a culture of security within your organization.
• Security Metrics: Establish metrics to measure and improve your application's security
over time.
Additional Considerations:

• Content Security Policy (CSP): Implement a CSP to restrict the scripts and resources that
can be loaded by your application, mitigating certain attacks.

• Cross-Origin Resource Sharing (CORS): Configure CORS settings to restrict access to your
application's resources from unauthorized origins.

• Secure Headers: Implement secure headers like Strict Transport Security (HSTS) and X-
Frame-Options to protect against specific attack vectors.

• Logging and Monitoring: Implement logging and monitoring systems to detect and
respond to suspicious activity.