Topic 1 - Web Application Security Fundamentals (1).pdf

Full Transcript

Topic 1
Web Application Security Fundamentals
Objectives
Know the evolution of web application
Know the common web application functions
Identify the common web application vulnerabilities

2
The Internet and WWW
The internet is a system of interconnected networks that connects a vast
array of private, public, commercial, academic, and governmental networks
to enable global communication and access to data resources.
The Internet is managed by organizations that create global protocols, such
as the Internet Assigned Numbers Authority (or IANA).
The World Wide Web (WWW), is a collection of information that can be
accessed via the Internet.
The WWW is a service built on top of the Internet's infrastructure.
What are the other services provided by the Internet?
Is there another alternative to WWW?

3
Client-Server Model
It is a distributed application structure that partitions tasks or
workloads between the providers of a resource or service, called
servers, and service requesters, called clients.
Every machine on the internet is either a server or a client.
The machines that provide services to other machines are
servers. And the machines that are used to utilize these services
are clients.
Request

Response

client server
5
The WWW
Is a distributed system made up of both client and server software.
Your Web browser is a client program that has requested a service from the
Web server.
The client process always initiates a request from the server, while the
server process always waits for requests from any client and respond to
them accordingly.

HTTP

Web browser Web server

6
Web Application?
“A Web application (Web app) is an application program that is
stored on a remote server and delivered over the Internet
through a browser interface.” – Wikipedia.org
The client is provided services through a Web server.
Run on the browser (client) and don’t need to be installed.
Programmed using a client–server modelled structure.
Written using server-side programming language.
Receive request from the client and send back response.
Discussion:
Why you need a Web Application?
Compare between website and Web application

7
Client-side vs Server-side
Client-side means that the Server-side means that the
processing takes place on the processing takes place on a
user’s computer. web server.
Web browsers execute client- Web servers execute server-
side scripts. side scripts.
Used to create static pages. Used to create dynamic pages.
It can access the file system It can access the file system
residing at the user’s residing at the webserver.
computer.

8
Client-side vs Server-side scripts

Client-Side Scripts Server Side Scripts
The source code is used to The source code is interpreted
transfer from webserver to on the Web server and the
user’s computer over the result transferred to the user’s
internet and run directly on computer over the internet
browsers. and run directly on browsers.
HTML, CSS, and JavaScript are PHP, Python, Java, Ruby are
used. used.

9
Static vs Dynamic Applications
Static web apps display Dynamic web apps display live
constant information and data or change their contents
doesn’t change unless based on user requests and
modified by the developer. interaction.
A static web application is a A dynamic web application is
collection of HTML, CSS, and written in PHP, ASP.net or
JavaScript. Python.
Can work without a web Must use a Web server to
server, they need only the Web interpret the source code
browser to render the page.
10
 How Web App Works

11
Source: https://alb.host.cs.st-andrews.ac.uk/webdatabases/howwebapp.htm
Class Discussion
Identify different types of web applications!

12
Class Discussion
Identify different types of web applications!

13
The Evolution of Web Applications
http://www.evolutionoftheweb.com
https://www.webdesignmuseum.org/web-design-history
https://thehistoryoftheweb.com/timeline

Activities:
Write a short review on any of the available web
technologies
16
World’s First Website

Tim Berners-Lee
August 6, 1991
17
Class Activity
Objectives:
To observe how websites/web applications have evolved over time
Steps:
Visit https://web.archive.org/
Search for your college website
Explore how the website was evolved over the years

18
The Evolution of Web Applications

The Web in early days The Web now
Static pages, no interaction Dynamic pages, interaction with end
Client-side (front-end) user
Publicly accessible to all the Server and client-side (front and
visitors. back-end)
Passively viewing contents Private and public pages.
One way communication Users able to modify the contents
No encryption was required Two way communication
No authentication was required Encryption is a must
Minimum resources, less complex Authentication is essential
More resources, higher complexity

19
What makes Web Apps so popular?
The protocol (HTTP) is lightweight and connectionless
Every user already has a browser installed on his computer and mobile
device.
Browsers are highly functional, enabling rich and satisfying user interfaces.
Core technologies and languages used to develop web applications are
relatively simple

20
Enterprise Web Applications
Enterprise web applications are large-scale software solutions
designed to meet the complex needs of organizations and
businesses.
These applications are typically accessed through web browsers
and provide a range of functionalities to support various business
processes.
Examples of enterprise web applications include Customer
Relationship Management (CRM) systems, Enterprise Resource
Planning (ERP) systems, Human Resources Management
Systems (HRMS), and project management tools designed for
large organizations.
Characteristics of Enterprise Web Apps
Scalability:
Enterprise web applications must be able to handle a large number of users
and data.
Scalability is essential to accommodate the growth of users and data volume
without sacrificing performance.
Security:
Security is a top priority for enterprise applications.
They often deal with sensitive business data, and robust security measures are
implemented to protect against unauthorized access, data breaches, and other
potential threats.
Integration:
Enterprise web applications need to integrate seamlessly with other existing
systems within the organization, such as databases, legacy applications, third-
party services, and external APIs.
Integration ensures data consistency and enhances overall efficiency.
Characteristics of Enterprise Web Apps
Customization:
Enterprises have diverse needs, and the ability to customize the application to
align with specific business processes is crucial.
Customization options allow organizations to tailor the application to their
unique requirements.
User Access Control:
Role-based access control (RBAC) is often implemented to manage user
permissions.
This ensures that different users have appropriate levels of access based on
their roles within the organization.
Collaboration Features:
Many enterprise web applications include collaboration features such as
document sharing, version control, and real-time collaboration tools to facilitate
teamwork among employees.
Characteristics of Enterprise Web Apps
Workflow Automation:
Automation of business processes is a common feature in enterprise
applications.
Workflow automation helps streamline repetitive tasks, reduce errors, and
improve overall efficiency.
Reporting and Analytics:
Comprehensive reporting and analytics tools enable organizations to gain
insights into their operations, monitor key performance indicators (KPIs), and
make informed decisions.
Responsive Design:
With users accessing applications from various devices, including desktops,
laptops, tablets, and smartphones, responsive design is crucial.
The application should provide a consistent and user-friendly experience across
different screen sizes.
Characteristics of Enterprise Web Apps
Compliance:
Enterprise web applications often need to comply with industry-specific
regulations and standards.
Ensuring compliance is important for legal and regulatory reasons.
Continuous Maintenance and Support:
Enterprise applications require ongoing maintenance, updates, and
support to address bugs, security vulnerabilities, and evolving business
needs.
Case Study
“A Case Study on Web Application Security Testing with Tools and Manual
Testing”

27
Read the first two pages of the article and
answer the following questions
Discuss the following sentence “Web applications today are highly functional and rely upon a two-way flow of information
between the server and browser.”
What is OWASP?
What are the common web application vulnerabilities mentioned in the paper?
Differentiate between penetration testing and static code analysis
How Tunestore web application was tested?
Do you think using the web security testing tools were enough to identify all the vulnerabilities?
Discuss how SQL injection works? What are the consequences of SQLi?
Explain how an application can be vulnerable to cross-site scripting (XSS)? What can be achieved with XSS?
What is the main cause of broken authentication?
Describe web spiders
Describe web fuzzer, fuzz testing or fuzzing
What does it mean when it is mentioned in the tool description that the supports payload feature?
What is SOAP?
What is Ajax?

28
Group Discussion
What are the web application security requirements?
Protect the confidentiality of the applications data, source code and
user’s data
Protect the integrity of the applications data and user’s data
Protect the availability of the applications’ function and user’s data

29
Web Application Security
“Web application security is a branch of information security that
deals specifically with security of websites, web applications and
web services”. -- Wikipedia
Popular tools:
Information Burp Suite
Gathering
OWASP ZAP Proxy
SQLMap
Remediation BEef
Research And
And Ongoing John Ripper , Hydra
Exploitation
Support Skipfish
W3af
Reporting And Wfuzz
Recommendati Watcher
ons 31
Web Application Security Posture
Web applications introduce new security vulnerabilities.
Emerging technologies create opportunities for exploitation.
Serious attacks aim to expose sensitive data or gain unrestricted
access to back-end systems.
Attacks causing system downtime are critical events for many
organizations.

32
Key Web Apps Security Elements
There are several key web application security requirements that
organizations should consider to ensure the security of their web
applications:
Input validation: Validate all user input to prevent processing of malicious input (e.g.,
SQL injection, cross-site scripting).
Authentication and authorization: Implement robust mechanisms, including password
policies, two-factor authentication, and secure encryption, to control access.
Session management: Securely manage user sessions by using secure tokens,
invalidating sessions after inactivity, and encrypting session data with HTTPS.

33
Key Web Apps Security Elements
Data Protection: Securely store and transmit sensitive data, employing encryption for
data at rest and in transit, and using secure protocols like SSL/TLS.
Access Control: Implement mechanisms to control access, ensuring only authorized
users can access sensitive data and application functions. This may involve role-based
access control and access control lists.
Logging and Monitoring: Maintain detailed logs of user activity and system events,
enabling the detection and investigation of security incidents. Regularly monitor logs for
suspicious activity and deploy intrusion detection systems for threat response.
Regular Software Updates: Keep software and third-party components up-to-date to
patch vulnerabilities and maintain the overall security of the application.

34
Web Applications Attack Landscape
Malicious Bots
Bot attacks employ automated online requests to manipulate, scam, or
disrupt a website, application, API, or users. Bot assaults have grown
from spamming operations to international criminal businesses with
economies and infrastructures.
Malware
Malware can target web applications and the servers they run on. They
can perform a variety of malicious operations including stealing,
encrypting or deleting sensitive data, altering or hijacking core
computing functions, and monitoring users’ computer activity without
their permission.

35
Web Applications Attack Landscape
Denial of Service (DoS)
A DoS attack is a malicious attempt to disrupt the normal operation of a
web application for legitimate users. In DoS attackers flood targets with
packets or requests.
Application Vulnerabilities
Application vulnerabilities are flaws in code or application design that
create a possible point of compromise and potentially allow entry for
attackers.
Common examples of web application vulnerabilities include injection
vulnerabilities, cross-site scripting (XSS), broken authentication and
session management, and security misconfiguration.

36
Web Application Vulnerabilities
Broken authentication — this category of vulnerability
encompasses various defects within the application’s login
mechanism, which may enable an attacker to:
Guess weak passwords,
Launch a brute-force attack, or
Login to: app.com

Bypass the login. Hello Hassan

Sniffing

37
Web Application Vulnerabilities
Broken access controls — this involves cases where the
application fails to properly protect access to its data and
functionality, potentially enabling an attacker to
view other users’ sensitive data held on the server or
carry out privileged actions.

Run as Administrator

OK

38 38
Web Application Vulnerabilities
SQL injection — this vulnerability enables an attacker to submit
crafted input to interfere with the application’s interaction with
back-end databases.
An attacker may be able to retrieve arbitrary data from the application,
interfere with its logic, or
execute commands on the database server itself.
Submit crafted input

Retrieve arbitrary data

39
Web Application Vulnerabilities
Cross-site scripting — This vulnerability enables an attacker to
target other users of the application,
potentially gaining access to their data,
performing unauthorized actions on their behalf, or
carrying out other attacks against them.
(3) Browser executes
malicious script
(2) victim's browser loads
legitimate site

(1) script-injected (4) Malicious script
link send victim’s private
data to the attacker

40
Web Application Vulnerabilities
Information leakage — This involves cases where an application
divulges sensitive information that is of use to an attacker in
developing an assault against the application, through defective
error handling or other behaviour.

41
Web Application Vulnerabilities
Cross-site request forgery — This flaw means that application
users can be induced to perform unintended actions on the
application within their user context and privilege level. The
vulnerability allows a malicious web site visited by the victim
user to interact with the application to perform actions that the
user did not intend.
(1) User login to his account
(2) Access token is issued
(4) Unintended action

(3) script-injected
link

42
The Core Security Problem
Because the client is outside of the application’s control, users
can submit arbitrary input to the server-side application.
The application must assume that all input is potentially
malicious.
Users can interfere with any piece of data transmitted between the client
and the server,
Users can send requests in any sequence and can submit parameters at
a different stage than the application expects,
Users are not restricted to using only a web browser to access the
application.

43
The OWASP Foundation
The Open Web Application Security Project (OWASP) provides free
and open resources*.
It is led by a non-profit called The OWASP Foundation.
The OWASP Top 10 - 2017 is the published result of recent
research based on comprehensive data compiled from over 40
partner organizations.
From this data, approximately 2.3 million vulnerabilities were
discovered across over 50,000 applications.
* https://www.owasp.org/

44
OWASP Top 10
According to the OWASP Top 10 - 2017, the ten most critical web
application security risks include*:
SQL injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Insecure Direct Object References
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring

45
Summary
A Web application (Web app) is an application program that is stored
on a remote server and delivered over the Internet through a browser
interface.
Nowadays web applications are mostly dynamic pages and provide
two-way communication to interact with users.
Encryption and authentication are essential in web applications.
The protocol (HTTP) is lightweight and connectionless, HTTPS is more
secure because it uses SSL (encryption).
Web applications are widely adopted inside organizations to support
key business functions.
Broken authentication, broken access control, SQL Injection, Cross-site
scripting and cross-site request forgery are examples of web
vulnerabilities.
46
References
Dafydd Stuttard, and Marcus Pinto. The Web Application Hacker’s Handbook. Indianapolis, Ind. Wiley.

Shema, Mike, and Jorge Blanco Alcover. Hacking Web Apps : Detecting and Preventing Web Application

Security Problems. Waltham, Ma, Syngress, 2012.