UNIVERSITY OF SCIENCE AND TECHNOLOGY OF HANOI

WEB SECURITY LECTURE NOTES

CHAPTER 1 – INTRODUCTION
TO WEB SECURITY

Lecturer: Assoc. Prof. Dr. Hoang Xuan Dau

E-mail: [email protected]
Office: Faculty of Information Security, PTIT, Hanoi
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Textbooks and references

1. Bryan Sullivan, Vincent Liu, Web Application Security, A

Beginner's Guide, McGraw-Hill, 2012.
2. Andrew Hoffman, Web Application Security: Exploitation
and Countermeasures for Modern Web Applications, 1st
Edition, O'Reilly Media, 2020.
3. Mike Shema, Hacking Web Apps: Detecting and Preventing
Web Application Security Problems, Elsevier Inc., 2012.
4. Hoàng Xuân Dậu, Bài giảng an toàn ứng dụng web và cơ
sở dữ liệu, Học viện Công nghệ BCVT, 2021
(http://infosecptit.com/web.db-security/Baigiang-an-toan-
ung-dung-web-va-csdl-2021).

2
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Course Topics

1. Introduction to web security

2. Common attacks to web applications
3. Web security measures
4. Security in development and deployment
of web applications
5. Labs (6 labs)
6. Minor project.

3
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Chapter 1 Topics

1. Overview of web applications

2. Security vulnerabilities and threats to
web applications
3. Aproaches and principles to web security
4. Revision questions and exercises.

4
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

1.1 Overview of web applications

❖ HTTP protocols
❖ Components of web applications
❖ Architecture of web applications

5
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

1.1 HTTP protocols

❖ HTTP (Hyper-Text Transfer Protocol) is a protocol of the

application layer of TCP/IP suite;
❖ HTTP is used for web applications to transfer hyper-text
(text, images, audio, video, other dynamic content);
❖ HTTP working model:
▪ Request – Response
▪ Client / Server.
❖ HTTPS or secure HTTP = HTTP + SSL/TLS: Communication
session between client and server is secure by encryption;
❖ Standard ports for HTTP and HTTPS are 80 and 443,
respectively.

6
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

HTTP protocols

7
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

HTTP Request – Response model

❖ HTTP Client (Web Browser) sends request to HTTP Server

(Web Server):

8
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

HTTP Request – Response model

❖ HTTP Server sends response to HTTP Client:

9
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

HTTP Request – Response model

❖ HTTP working model with the participation of program (CGI)

running on the server to access database.

10
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

1.2 Components of web applications

❖ Web client/web browser

❖ Web server
❖ URL/URI
❖ Web session and cookies
❖ Interpretation and execution engine of server scripts
❖ Server scripts (also called CGI – Common Gateway
Interface)
❖ Database server
❖ TCP/IP network infrastructure connecting web client and
server.

11
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web browser

❖ Web browser is a software running on the client machine

with the following functions:
▪ Create and send request to web server;
▪ Receive and display response from web server.
❖ Supported methods: GET, POST, HEAD,...
❖ Can display various types of data on web page: text, images,
audio, video, etc;
❖ Support programming capability using scripting languages,
such as JavaScript, HTML, XML, CSS;
❖ Common web browsers: MS Internet Explorer/Edge, Google
Chrome, Mozilla Firefox, Opera, Apple Safari,...

12
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web Server

❖ Receive and process web requests from web browsers and

send back response (usually web page):
▪ If it is a request accessing a static HTML file, web server reads the file
from local file system and send the response back to the browser;
▪ If it is a request accessing a server script:
• Web server passes the script to the script engine;
• Script engine interpretes and executes the server script;
• Script engine returns the result to web server;
• Web server use the result to create the response to send back web
browser.

13
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web Server

❖ The response status or HTTP status code is the return code

when the web server processes and request:
▪ 200: successful
▪ 404: page not found
▪ 403: forbiden request
▪ 500: server script execution error.

14
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web Server

❖ Common web servers:

▪ Mozilla Apache web server
▪ Microsoft Internet Information Services (IIS)
▪ nginx (NGINX, Inc)
▪ Google web services
▪ IBM Websphere
▪ Oracle web service

15
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

URL/URI

❖ URL (Uniform Resource Locator):

▪ Also called web address
▪ URL is a string that refers to a resource.
▪ Format: scheme://domain:port/path?query_string#fragment
• scheme: accessing protocol (http, https, ftp,...)
• domain: domain name, ex: www.google.com
• port: service port number (not required for standard ports of 80, 443)
• path: path to file or page
• ?query_string: the query string that consists of some pair of name=value.
The symbol & is used as connector between 2 pairs. Ex:
?id=1000&keyword=Vietnam
• fragment: a name linking to a section in the page.

16
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

URL/URI

❖ URI (Uniform Resource Identifier):

▪ Is a string to identify a web address or a name;
▪ URI can be URL or URN.
❖ URL vs. URN:
▪ URN is used to identify a name of a resource
▪ URL is used to find address/location of a resource.

17
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web session and cookies

❖ Web session is a technique that create stateful web

application verus stateless HTTP;
▪ Stateful web application: the application can “remember” the users;
▪ Stateless web application: the application can NOT “remember” the
users. Each web request is processed separatedly.
❖ The length of a session depends on web application’s
configuartion;

18
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web session and cookies

❖ Example:
▪ After logging on successfully into the member area, web server
creates a session for the user;
▪ The user can access other pages within the member area without
having to provide username and password until the end of the session.
❖ Note: A session can be started with or without logging-on
action:
▪ A sesstion is created for a user when the user started browsing pages
of an online shop and created a shopping cart without logging-on.

19
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Web session và cookies

❖ Cookie (also called HTTP cookie, or Browser cookie):

▪ Is a piece of information that the website sends and stores in the user
web browser when the user visits the website;
▪ When the user visits the website in the future, the website can retrieve
information in the cookie to see the user's previous activities;
▪ Cookies are usually used to:
• Store web session’s information (Session ID, username, password,...);
• Maintain the state of the web session.

20
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Interpretation and execution engine of server scripts

❖ Interpretation and execution engine of server scripts is

responsible for loading, interpretating and executing each
line of the script on the web server;
❖ Since the engine runs on interpretation mode, it is usually
slower than applications that run on compilation mode;
❖ One web server can work with several script engines;
❖ Some common script engines:
▪ Microsoft ASP, ASP.NET
▪ PHP engine
▪ Perl, Python engine, JVM/JSP
▪ NodeJS.

21
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Interpretation and execution engine of server scripts

Microsoft IIS with ASP and ASP.NET engines

22
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Server scripts (CGI – Common Gateway Interface)

❖ Server scripts are code segments embedded into HTML

pages to execute data processing tasks and return results to
create the content of the web pages;
❖ Web server passes server scripts to script engines to
interprete and execute. The script execution results are
returned to web server;
❖ Programming languages for server scripts:
▪ ASP (VBScript), ASP.NET (C#)
▪ PHP
▪ Perl
▪ Python
▪ JSP (Java),…

23
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Database server

❖ Database server is used to manage databases that are used

to store data of dynamic web pages;
❖ When there is a user request to a dynamic web page:
▪ The web server (or script engine) executes associated server scripts
to access and process data from database;
▪ The returned result is sent back to the web server to create the content
for the web page.

24
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

TCP/IP network infrastructure

❖ TCP/IP network infrastructure includes all devices to form

the communication system between the web client and the
web server;
❖ Communication devices include:
▪ Switches
▪ Routers
▪ Firewalls
▪ Cables,…

25
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Architecture of web applications

❖ Standard architecture of web applications:

26
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Architecture of web applications

❖ 3-tier architecture of web applications: Presentation Layer,

Business Logic and Data Access Layer

27
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Architecture of web applications

❖ 3-tier architectures with relation between client and server:

28
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

1.2 Web vulnerabilities and threats

29
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A1 – Injection:
▪ Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
▪ The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.

30
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A2:2017-Broken Authentication:
▪ Application functions related to authentication and session
management are often implemented incorrectly, allowing attackers to
compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities temporarily or
permanently;
▪ Example: Session ID is assigned to URL without proper encoding or
checking:
http://www.error-site.com/test.aspx?session_id=12345

31
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A3:2017-Sensitive Data Exposure:

▪ Many web applications and APIs do not properly protect sensitive
data, such as financial and healthcare;
▪ Attackers may steal or modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes.
▪ Sensitive data may be compromised without extra protection, such as
encryption at rest or in transit, and requires special precautions when
exchanged with the browser.

32
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A4:2017-XML External Entities (XXE):

▪ Many older or poorly configured XML processors evaluate external
entity references within XML documents;
▪ External entities can be used to disclose internal files using the file
URI handler, internal file shares, internal port scanning, remote code
execution, and denial of service attacks;
▪ Common XXE error exploitation:
• Defective XML processors allow attackers to upload malicious XML files or
malicious content in XML documents to the server;
• Vulnerabilities in application code, in depenent components, or in the
system integration can be exploited to launch attacks.

33
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A5:2017-Broken Access Control:

▪ Restrictions on what authenticated users are allowed to do are often
not properly enforced;
▪ Attackers can exploit these flaws to access unauthorized functionality
and/or data, such as access other users’ accounts, view sensitive files,
modify other users’ data, change access rights, etc.

34
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A6:2017-Security Misconfiguration
▪ Security misconfiguration is the most commonly seen issue;
▪ This is commonly a result of insecure default configurations,
incomplete or ad hoc configurations, open cloud storage,
misconfigured HTTP headers, and verbose error messages containing
sensitive information;
▪ Not only must all operating systems, frameworks, libraries, and
applications be securely configured, but they must be
patched/upgraded in a timely fashion.

35
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A7:2017-Cross-Site Scripting (XSS)

▪ XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user-supplied data using a browser API that
can create HTML or JavaScript;
▪ XSS allows attackers to execute scripts in the victim’s browser which
can hijack user sessions, deface web sites, or redirect the user to
malicious sites.

36
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A7:2017-Cross-Site Scripting (XSS)

37
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A8:2017-Insecure Deserialization
▪ Serialization/ Deserialization:
• Serialization is the process to convert an object to a byte sequence;
• Deserialization is the process to convert a byte sequence to an object.
▪ Insecure deserialization often leads to remote code execution;
▪ Even if deserialization flaws do not result in remote code execution,
they can be used to perform attacks, including replay attacks, injection
attacks, and privilege escalation attacks.

38
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A8:2017-Insecure Deserialization
▪ Example:
• A PHP web page uses object serialization to convert information of user
session (ID, name, hashed password,...) into a byte sequence and store in
cookie as follows:
a:4:{i:0;i:132;i:1;s:7:”Mallory”;i:2;s:4:”user”; i:3;
s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;}
• An attacker can modify the byte sequence to promote him to an
administrator:
a:4:{i:0;i:132;i:1;s:7:”Mallory”;i:2;s:4:”admin”; i:3;
s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;}
• If the attacker can modify the information and deserialize (convert the byte
secquence to session object), he can get the administrative permissions
and take control of the web application.

39
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A9:2017-Using Components with Known Vulnerabilities

▪ Components, such as libraries, frameworks, and other software
modules, run with the same privileges as the application;
▪ If a vulnerable component is exploited, such an attack can facilitate
serious data loss or server takeover;
▪ Applications and APIs using components with known vulnerabilities
may undermine application defenses and enable various attacks and
impacts.

40
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017

❖ A10:2017-Insufficient Logging & Monitoring

▪ Insufficient logging and monitoring, coupled with missing or ineffective
integration with incident response, allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper,
extract, or destroy data;
▪ Most breach studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal processes or
monitoring.

41
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2017 vs 2021

42
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Top 10 OWASP 2021 new entries

❖ A04:2021-Insecure Design is a new category for 2021, with a focus on

risks related to design flaws;
❖ A08:2021-Software and Data Integrity Failures is a new category for
2021, focusing on making assumptions related to software updates,
critical data, and CI/CD pipelines without verifying integrity;
❖ A10:2021-Server-Side Request Forgery is added from the Top 10
community survey (#1). The data shows a relatively low incidence rate
with above average testing coverage, along with above-average ratings
for Exploit and Impact potential.

43
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

1.3 Aproaches and principles to web security

❖ Aproaches to web security:

▪ Always implement the validation of input data
• Never trust users
• Validate size, format and content of data
• Use data filters.
▪ Minimize the possible attacking surfaces
• Restrict users from directly accessing database systems;
• Only grant “enough” accessing permissions for the users to carry out their
tasks.
▪ Apply “Defense in Depth” strategy.

44
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Principles to web security

❖ Defense in Depth
❖ Total protection
❖ Continuation protection
❖ Simplicity in usage.

45
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Defense in Depth

❖ Apply multiple protection layers:

▪ Network protection layer
▪ Host protection layer
▪ Application protection layer.
❖ Each protection layer has their own functionalities and they
can support each other to make the system secure.

46
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Defense in Depth

47
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Defense in Depth - Network protection layer

❖ Ensure the network infrastrure for secure communication

between web client and web server;
❖ Network devices must be installed and configurated properly
to ensure the security:
▪ Switches
▪ Routers
▪ Firewalls
▪ IPS/IDS.

48
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Defense in Depth - Host protection layer

❖ Secure
operating
systems
❖ Secure
databases
❖ Secure software
and system
services.

49
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Defense in Depth - Application protection layer

❖ Authentication and authorization

❖ Configuration
❖ Input data validation
❖ Session management
❖ Data encryption
❖ Exception management
❖ Logging.

50
 WEB SECURITY LECTURE NOTES
CHAPTER 1 – INTRODUCTION TO WEB SECURITY

Revision questions and exercises

1. What is HTTP? Describe the HTTP working model.

2. What are the components of web applications? Describe
each component.
3. Describe architectures of web applications.
4. Describe Top 10 OWASP web vulnerabilities and threats.
5. What are the approaches and principles to web security?
6. Install the Microsoft IIS web server and at least a simple
website (1-2 pages).
7. Install the Apache/NgInx web server and at least a simple
website (1-2 pages).

51