Professional Documents
Culture Documents
Introduction
A web application is a program or software that runs on a web browser to perform specific tasks. Any
web application has several layers – web server, the content of the application that is hosted on the web
server and the backend interface layer that integrates with other applications. Web application
architecture is scalable and has components which have high availability.
User Access
A web application provides different roles for user access depending on the business requirement and
use cases. A classic example is a digital banking scenario, where the customer wants to access the
banking functions to get the balance from his account or transfer the cash to someone else. Another
example is a scenario where a Linux administrator wants to provide privileges and rights to authorized
users.
The web application uses the below security mechanisms:
Authentication
Session management
Access control
Authentication is identifying a user to whom the credentials belong. This can be done using is a user
name and password. Additional authentication can be done through the user’s mobile number or
biometrics.
Session management is the process of the user being signed in throughout, while using the web
application. Every time the user logs in to use the application, it is recorded as a session. Sessions can
vary depending on the use case and application.
Access control is a process of protecting the HTTP requests in Web application. This is the last layer of
defense in the user access.
User Input
All the user inputs in the web application are always untrusted. A web application should have defense
mechanisms in place to prevent the user from writing malicious code or breaking the website. We can
handle the user input validation at various levels based on the need of the business.
Input handling to reject all words related to hacking- this is a process of blacklisting them which the
web server will check and confirm. These are called Semantic Checks.
Also creating a set of rules to accept the user inputs – for example, only numbers that are safe for Bank
account access can be used. This is called Safe Data Handling.
We need to have multi-step validation where every component is checked for user inputs in the web
application.
We can have boundary validation to check all the external interfaces with the applications.
Handling Hackers
To get more sensitive alerts in the web application we need to have following
Audit logs records
IP address blocking
Intrusion Detection systems
Firewalls
We need to have application configuration with the key alert that has to be notified immediately when
any hacker gets into the web application.
Unvalidated redirects
These are possible when a web application accepts untrusted input. This can cause the web application
to redirect the request to a URL containing untrusted inputs. Through the modification of the Untrusted
URL input to a malicious site, the hacker launches a phishing attack and steals the user credentials.
These redirects using credentials can also give the hacker the privilege functions which normally they
cannot access.
We need to have the user provide a short name, ID or token which is mapped server-side to a full target
URL and this gives protection to the entire process.
SQL injection
SQL injection is a process of injecting the malicious SQL query via the input data from the client to the
web application.
SQL injection can modify, read, and delete the sensitive information from the Databases.
Has the ability to issue commands to the operating system
Administration controls on the operations of the database
Done through simple SQL commands
File upload vulnerabilities
Web applications have these functionalities and features of uploading files.
These files can be text, pictures, audio, video and other formats.
We need to be careful while uploading files.
A hacker can send a remote form Data POST request with mime type and execute the code.
With this, the files upload will be controlled by the hacker.