DEV Community

Cover image for Web Security
Jeferson 'Shin' Leite Borges
Jeferson 'Shin' Leite Borges

Posted on • Updated on

Web Security

What are these texts?
I was studing and for me to have some real study done I need to write it down, this is a small collection of topics that I studied in the last few weeks.
Other links from the same study-pool:

Web Security

Web apps have become essential business enablers as more organizations use them for a variety of purposes, including e-commerce, customer engagement, and employee empowerment. These apps continue to be the target of serious cyber attacks despite the fact that they generate enormous amounts of user and organizational data. Web security fundamentals, common vulnerabilities, and resources to keep up with the shifting threat landscape are covered in this article.

Online Web Applications Security Project (OWASP)

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.

Top ten list

  1. Injection.
    Before understanding user input, web apps that take it must correctly validate it. Attackers may inject code or commands that are then executed if this is not done correctly. A successful injection can lead to a number of detrimental effects, ranging from attackers gaining access to sensitive information to losing administrative control of the server.

  2. Broken Authentication.
    Many web applications depend on authentication and session management. Attackers may be able to steal user identities and accounts thanks to security weaknesses in these procedures.

  3. Sensitive Data Exposure.
    To keep it from being accessed by outside parties, web applications must secure the data they process, both while it is in transit and while it is at rest. This is crucial for PII that relates to financial data, healthcare data, and other types of PII (Personally Identifiable Information). Credit card fraud, identity theft, account takeover, and other attacks are included in the risk category of sensitive data exposure.

  4. XML External Entities (XXE).
    A common format for storing and sharing data is XML and JSON. It features the capability to dereference local or external URIs using the parser. An attacker may use a poorly-configured parser in a number of different ways. Malicious XML/JSON can attempt remote code execution, refer to confidential local data (such a file containing user credentials), or conduct a DoS (Denial of Service) assault by accessing local resources, among other things.

  5. Broken Access Control.
    This refers to inadequately-enforced restrictions on what authenticated users are allowed to do. A system with this flaw can allow attackers to gain unauthorized access to data, and even to interfere with the access that legitimate users have.

  6. Security Misconfiguration.
    This group of dangers is highly diverse. It covers a wide range of topics, such as unpatched vulnerabilities in services, libraries, frameworks, and applications, incorrectly configured HTTP headers, sensitive information contained in verbose error messages that can be used to strengthen an attack, and open cloud storage (data stored in the cloud with unrestricted access privileges).

  7. Cross-Site Scripting (XSS).
    Numerous online apps include user inputs into their sites. In XSS, an attacker provides inputs that contain scripts, the attacker wants the scripts to be included in the pages delivered to other users. (Common examples include comments, product reviews, user profiles for membership sites, etc.) An attacker can do a number of things if a web application does not correctly validate its inputs, including hijacking user sessions, changing the pages that are served to other users, and rerouting other users to malicious websites.

  8. Insecure Deserialization.
    XML and JSON are often used to serialize data. Web applications are vulnerable to malware payloads if they receive serialized data from unreliable sources. Numerous exploits, such as privilege escalation and remote code execution, may emerge from this.

  9. Using Components with Known Vulnerabilities.
    If a library or framework that an application utilizes has a known exploit, the attacker may be able to access the same internal resources as the program if they are successful. Depending on the application's access, this might lead to anything from server espionage and remote code execution to data theft.

  10. Insufficient Logging & Monitoring.
    Web applications must accurately record events so that administrators may determine if potentially malicious activity is taking place. Organizational regulations should also mandate that administrators keep a close eye on the logs to see what's happening. Failure to do so will significantly increase the harm done by successful attacks and frequently enable attackers to switch targets and broaden the scope of their operations. This risk might appear the simplest to manage out of the top 10, yet it still poses a serious threat to business.

Some Specifics

OWASP is a gives the general idea on how to manage and work with the security for web applications. Still there is some common know vector for attacks.

SQL Injection

An attacker can take advantage of weaknesses in a database's search process by using SQL injection. SQL injection allows an attacker to get access to sensitive data, create or modify user rights, or carry out data change, manipulation, or destruction schemes. A hacker can thus seize important data or change it to prevent or manage the operation of a vital system. An easy way to accomplish this though non-validate user input, or query params.

Cross-site Scripting

Cross-site scripting (XSS) is the name of a flaw that allows attackers to place client-side scripts inside of a page. This is then utilized to have immediate access to crucial info. A hacker may employ XSS to impersonate another user or trick a user into exposing important information. Some examples could be unintentional ability for the user to add custom details on their profile non-validating this user input.

Remote File Inclusion

With remote file inclusion, an attacker makes use of flaws in a web application to reference external scripts. The attacker can then try to upload malware using an application's referencing feature. These malware varieties are also known as backdoor shells. The entire process is carried out from a different Uniform Resource Locator (URL) on a different domain.

Password Breach

Password hacking is a frequent method used to access online resources. Frequently, a hacker will use a password that a user or administrator had previously used to sign in to a different website for which the hacker has a list of login information.

In other instances, hackers employ a method known as "password spraying," in which they utilize well-known passwords like "12345678" or "password123" and attempt each one individually until they succeed in gaining access. Other methods include employing keyloggers or just looking for your password on paper and utilizing it.

Data Breach

An information breach occurs when private or delicate data is made public. Data breaches can occasionally occur by mistake, but they are frequently the work of hackers who want to use or sell the data.

Malware Installation

Malware can do a great deal of harm once it has been installed on a local network, including data exfiltration, ransomware encryption, and extortion.


Since the majority of attacks begin with phishing emails, online security must have a method to prevent fraudulent emails from getting to an employee's inbox.

Distributed denial-of-service (DDoS)

The distributed denial-of-service (DDoS) assault allows attackers to disrupt services for days at a time, harming revenue and operational continuity.

Tool of trade when dealing with web security

These are some ways to protect the web application against some attack vectors.

Web Application Firewall (WAF)

A good WAF can potentially reduce or stop DDoS attacks and reduce or block malicious code injection when users submit information using online forms. It can substantially boost your techniques and reduce attacks, but it shouldn't be the only way to counter web-based attacks.

Vulnerability scanners

Before it is put into use, any software should be penetration tested, but even in production, it should be regularly checked for security flaws. Scanners carry out simple hacker behaviors to discover weaknesses in your software. You can address problems before they lead to a serious data breach if you identify vulnerabilities before attackers do. Good scanning tools also look for corporate infrastructure configuration errors.

Fuzzing tools

Similar to scanners, fuzzing tools can evaluate code as it is being produced in real time. A fuzzer checks the code before it is deployed to staging, throughout testing, and lastly before it is deployed to production. A fuzzer, as opposed to a straightforward scanner, offers information on the potential issue to assist developers and operational staff in resolving it.

Black box testing tools

Black box testing techniques simulate real-world attacks to detect flaws in software, which attackers utilize in a variety of ways. These tools carry out harmful operations against installed software to find potential security holes and make use of widely available exploits to assist developers in fixing problems.

White box testing tools

Coding errors cause widespread vulnerabilities to be introduced as developers create their programs. A white box testing tool evaluates code as it is written and gives developers knowledge to assist them avoid frequent errors. Consider white box testing as a means to monitor the creation of software in order to identify vulnerabilities before the code is compiled and released to testing and production settings.

Top comments (0)