Skip to content

Web Applications Introduction

Web apps are software programs that run on a web servers and are accessible over the Internet through web browsers.

They follow the client-server model: the application's logic and data are hosted on a web server, and users access it though a user interface by sending requests to the server.

Web Application Security Practices

  • Authentication and authorization
  • Input validation
  • Secure communication
  • Secure coding practices
  • Regular security updates
  • Least privilege principle
  • Web Application Firewalls (WAF)
  • Session management

Web Application Security Testing

Web application security testing is the process of evaluating the security aspects of a web application to identify vulnerabilities, weaknesses and potential security risks.

It involves performing tests and assessments to ensure that web applications are resistant to security threats and can effectively protect sensitive data and functionalities from unauthorized access or malicious activities.

It can be divided into different types: - Vulnerability scanning - Penetration testing - Code review and static analysis - Authentication and authorization testing - Input validation and output encoding testing - Session management testing - API security testing

The purpose of web applications security testing is to identify vulnerabilities and weaknesses in the web application **without actively exploiting them, while web app penetration testing actively attempt to exploit identified vulnerabilities and asses the organization's response to attacks.

Threat vs Risk

  • Threat: it refers to any potential source of harm or adverse event that may exploit a vulnerability in a system.
  • Risk: is the potential for a loss of harm resulting form a threat exploiting a vulnerability in a system. It is a combination of the likelihood of the threat occurrence and the impact or severity of the resulting adverse event.

Common Web Application threats and risks:

  • Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Cross-Site Request Forgery (CSRF)
  • Security misconfigurations
  • Sensitive data exposure
  • Brute-force and credential stuffing attacks
  • File upload vulnerabilities
  • Dos and DDos
  • Server-Side Request Forgery (SSRF)
  • Inadequate access controls
  • Using components with known vulnerabilities
  • Broken access control

Web Application Architecture

Web applications are built on the client-server model: - Client: it represents the user interface and user interaction with the web application. - Server: it represents the back-end of the web application.