Web and application security

Introduction
• Web application security, is a branch of Information Security that
deals specifically with security of websites, web applications
and web services.
• At a high level, Web application security draws on the principles of
application security but applies them specifically to Internet
and Web systems.
• Web application security is the process of securing confidential data
stored online from unauthorized access and modification.
The aim of Web application security
• The aim of Web application security is to identify the following:

• Critical assets of the organization

• Genuine users who may access the data
• Level of access provided to each user
• Various vulnerabilities that may exist in the application
• Data criticality and risk analysis on data exposure
• Appropriate remediation measures
Four conditions of security
• Web application security aims to address and fulfill the four
conditions of security, also referred to as principles of security:
• Confidentiality: States that the sensitive data stored in the Web application
should not be exposed under any circumstances.
• Integrity: States that the data contained in the Web application is consistent
and is not modified by an unauthorized user.
• Availability: States that the Web application should be accessible to the
genuine user within a specified period of time depending on the request.
• Nonrepudiation: States that the genuine user cannot deny modifying the data
contained in the Web application and that the Web application can prove its
identity to the genuine user.
Web application security architecture
The key areas of concern for each
application tier are:
•Browser. Authenticating users on the
client. Protecting sensitive data on the
wire.  Preventing common attacks
such as parameter manipulation and
session hijacking.
•Web Server. Validating untrusted
input. Exception handling. Authorizing
your users. Securing the configuration.
•Application Server. Authenticating
and Authorizing users. Auditing and
logging. Protecting sensitive data on
the wire. Securing configuration.
•Database Server. Protecting sensitive
data in the database. Securing
configuration. Locking down database
users.
Web application architecture
Why Web Application Vulnerabilities Occur ?
The Web Application
Security Security Gap Application
Professionals Developers and
Don’t Know The QA Professionals
Applications Don’t Know
Security
“As a Network Security “As an Application
Professional, I don’t Developer, I can
know how my build great features
companies web and functions while
applications are meeting deadlines,
supposed to work so I but I don’t know
deploy a protective how to develop my
solution…but don’t web application
know if it’s protecting with security as a
what it’s supposed to.” feature.”
 Web Application Vulnerabilities

“If builders built buildings the way programmers wrote programs, then
the first woodpecker that came along would destroy civilization.”

-Weinberg's Second Law

 Web Application Vulnerabilities
• Technical Vulnerabilities
• Result of insecure programming techniques
• Mitigation requires code changes
• Detectable by scanners
• http://example/order.asp?item=<script>alert(‘p0wned’)</script>&price=300.00
• Logical Vulnerabilities
• Result of insecure program logic
• Most often to due to poor decisions regarding trust
• Mitigation often requires design/architecture changes
• Detection often requires humans to understand the context
• http://example/order.asp?item=toaster&price=30.00
Web Application Vulnerabilities
• Generally stem from improper handling of client
requests and/or lack of input validation checking
• Web applications are publicly accessible
• Process data elements from within HTTP requests
• Fail to identify how data elements were captured –
difficult to know what kind of validation and sanity
checking to use 
 Web Application Vulnerabilities
Web application vulnerabilities occur in multiple areas.

Application
Application Mapping
Administration Cookie Manipulation
Custom Application
Extension Checking Scripting
Common File Checks Parameter Manipulation
Data Extension Checking Reverse Directory
Backup Checking Transversal
Platform
Directory Enumeration Brute Force
Path Truncation Application Mapping
Known Vulnerabilities
Hidden Web Paths Cookie Poisoning/Theft
Forceful Browsing Buffer Overflow
SQL Injection
Cross-site scripting
Web Application Vulnerabilities

Platform:
• Known vulnerabilities can be
exploited immediately with a
minimum amount of skill or
experience – “script kiddies”
• Most easily defendable of all
Platform web vulnerabilities
Known • MUST have streamlined
Vulnerabilities
patching procedures
Web Application Vulnerabilities
Administration:
Administration
• Less easily corrected than known
issues
Extension Checking
Common File Checks
• Require increased awareness
Data Extension
• More than just configuration, must
Checking be aware of security flaws in actual
Backup Checking content
Directory
Enumeration • Remnant files can reveal
Path Truncation applications and versions in use
Hidden Web Paths
Forceful Browsing
• Backup files can reveal source code
and database connection strings
Web Application Vulnerabilities
Application Programming:
• Common coding techniques do not
Application
necessarily include security
Application Mapping • Input is assumed to be valid, but not
Cookie Manipulation tested
Custom Application
Scripting • Unexamined input from a browser
Parameter Manipulation can inject scripts into page for replay
Reverse Directory
Transversal
against later visitors
Brute Force • Unhandled error messages reveal
Application Mapping application and database structures
Cookie Poisoning/Theft
Buffer Overflow
• Unchecked database calls can be
SQL Injection ‘piggybacked’ with a hacker’s own
Cross-site scripting database call, giving direct access to
business data through a web
browser
 e s
Is su
•Security Objectives. Setting objectives helps you scope and prioritize your work by setting
boundaries and constraints. Setting security objectives helps you identify where to start, how to
proceed, and when you are done.
•Threat Modeling. Threat modeling is an engineering technique that can help you identify threats,
attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat
modeling to shape your application’s design, meet your company’s security objectives, and reduce risk.
•Security Design Guidelines. Creating design guidelines is a common practice at the start of an
application project to guide development and share knowledge across the team. Effective design
guidelines for security organize security principles, practices, and patterns by actionable categories.
•Security Design Inspection. Security design inspections are an effective way to identify problems in
your application design. By using pattern-based categories and a question-driven approach, you
simplify evaluating your design against root cause security issues.
•Security Code Inspection. Many security defects are found during code reviews. Analyzing code for
security defects includes knowing what to look for and how to look for it. Security code inspections
optimize inspecting code for common security issues. 
Security Testing. Use a risk-based approach and use the output from the threat modeling activity to
help establish the scope of your testing activities and define your test plans.
•Security Deployment Inspection. When you deploy your application during your build process or
staging process, you have an opportunity to evaluate runtime characteristics of your application in the
context of your infrastructure. Deployment reviews for security focus on evaluating your security design
and configuration of your application, host, and network.
References

• https://www.techopedia.com/definition/24377/web-application-
security