Assignment-1.

Student Name: Ashish Yadav UID: 20BCA1335

Branch: BCA Section/Group: BCA4/B
Semester: 5 Date of Performance: 07-10-2022
Subject Name: Web Security Subject Code: 20CAT-313

1-Define path Traversal and Explain how you can Find and prevent Path
Traversal Vulnerabilities.

A path traversal attack (also known as directory traversal) aims to access files
and directories that are stored outside the web root folder. By manipulating
variables that reference files with “dot-dot-slash (../)” sequences and its
variations or by using absolute file paths, it may be possible to access
arbitrary files and directories stored on file system including application
source code or configuration and critical system files. It should be noted that
access to files is limited by system operational access control (such as in the
case of locked or in-use files on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory

climbing” and “backtracking”.

How to identify if you are vulnerable

Be sure you understand how the underlying operating system will process
filenames handed off to it.

Don’t store sensitive configuration files inside the web root

For Windows IIS servers, the web root should not be on the system disk, to
prevent recursive traversal back to system directories.

How to protect yourself

 Prefer working without user input
when using file system calls

Use indexes rather than actual portions of file names when templating or
using language files (ie value 5 from the user submission = Czechoslovakian,
rather than expecting the user to return “Czechoslovakian”)

Ensure the user cannot supply all parts of the path – surround it with your
path code

Validate the user’s input by only accepting known good – do not sanitize the
data

2-Explain Authentication

Authentication is the process of establishing a user's identity when they access

a network or computer system. Authentication aids in confirming a person's
claim to be who they say they are. Access to a certain account, resource, or
computer system is granted after the identification has been verified.

In a nutshell, authentication is the process of using a set of credentials to

identify a person in a unique way. Verifying a person's or a device's identity
online is known as authentication. Because it improves customer data
security, authentication becomes necessary. No one is allowed to access your
data on the website without first verifying or authenticating themselves.

The most well-known instance of authentication is utilizing login credentials

to access a system.

3-What is the difference between Encoding & Encryption?

Encryption and Encoding are the terms commonly interchanged and used
incorrectly. There is a lot of difference between these two terms and it is very
vital to know the differences

1. Encryption :
 It is a process used to convert
simple readable data known as plain text to unreadable data known as
ciphertext which can only be converted to plain text if the user knows the
encryption key. It is used basically to keep our data safe. The main purpose of
the encryption is to convert our data in such a form that it is garbage for the
person who does not know the encryption key. It is used to prevent
unauthorized aces. The reverse of encryption is decryption and it is used to
get back the plain text from the ciphertext. For decryption, we must know the
encryption key and the encryption algorithm.

2. Encoding :

It is the process to transform data in such a format that it can be easily used
by different types of systems. The algorithm used to encode the data is
publicly available and it can be easily decoded in the readable form if the
person knows the algorithm. It does not require any key to decode the
information. The main purpose is data usability instead of confidentiality. The
main aim of encoding is to transform the data so that it can be properly used
by a different type of system. It is not used to protect the data as it is easy to
reverse in comparison to encryption.

4-Describe the term Protocol

Sometimes referred to as an access method, a protocol is a standard used to

define a method of exchanging data over a computer network, such as LAN,
Internet, Intranet.

Each protocol has it's own method of how data is formatted when send and
what to do when received, how to check for error in data transmission, or how
data is compressed in packets/segments over network.

Few of most commonly used protocols are:

HTTP

IP
 SMTP

VOIP, etc.

5-Why we are using firewalls?

FIREWALL

A firewall is a system designed to prevent unauthorized access to or from a

private network. You can implement a firewall in either hardware or software
form, or a combination of both. Firewalls prevent unauthorized Internetusers
from accessing private networks connected to the Internet, especially
intranets. All messages entering or leaving the intranet (i.e., the local network
to which you are connected) must pass through the firewall, which examines
each message and blocks those that do not meet the specified security criteria.

IMPORTANCE

If your PC is connected to the Internet, you are a potential target to an array

of cyber threats, such as hackers, keyloggers, and Trojans that attack through
unpatched security holes. This means that if you, like most people shop and
bank online, are vulnerable to identity theft and other malicious attacks.

A firewall works as a barrier, or a shield, between your PC and cyber space.

When you are connected to the Internet, you are constantly sending and
receiving information in small units called packets. The firewall filters these
packets to see if they meet certain criteria set by a series of rules, and
thereafter blocks or allows the data. This way, hackers cannot get inside and
steal information such as bank account numbers and passwords from you.