KEMBAR78
Web SecurityWeb SecurityWeb SecurityWeb Security | PPTX
Uploaded byuser201002adobe
PPTX, PDF2 views

Web SecurityWeb SecurityWeb SecurityWeb Security

Web Security

Download to read offline
Chapter 1: Web Security Introduction
Key concept • How the web application works - What is a Web Application? - Components of a Web Application - Authentication and Authorization - Web Communication Basics • Web Application Security - Fundamentals of Web Application Security - Common Web Security Vulnerabilities - Secure Coding Practices • Client-Side vs. Server-Side
Key concept • Web Programming with Python • Security Tools and Scanners • OSWAP and others
1.1 What is a Web Application? • A web application is a software program that is stored on a remote server (or local) and delivered over the Internet (or LAN) through a browser interface. Unlike traditional desktop applications, which are launched by your operating system, web apps must be accessed through a web browser.
1.1 What is a Web Application? • Accessibility: Web applications can be accessed anytime, anywhere, as long as there is an internet connection, unlike desktop applications that are installed on a specific device. • Cross-Platform Compatibility: They work across multiple platforms regardless of the operating system or device, as long as the browser is compatible. • Interactivity: Allows users to interact and manipulate the data. For example, users can enter data, which is then processed and stored, and the output is returned in real-time.
1.1 What is a Web Application? • Widespread Impact: When a web application is accessible across multiple platforms, any security vulnerabilities present in the application potentially impact a broader range of users and devices. A single exploit can affect users on different operating systems, browsers, and devices.
1.2 Key Components of a Web Application Three primary components of a web application: • The Front-End (Client-Side), • The Back-End (Server-Side), • The Database.
1.3 Understanding Authentication and Authorization • Authentication: Verifying the identity of a user, typically through login credentials. It's the first step in any secure process, ensuring that the user is who they claim to be. • Authorization: Determines what an authenticated user can access and do. It's about granting or denying permissions and access to resources within the application. • Importance: Both are essential for securing web applications, protecting sensitive data, and ensuring that users can only access what they're allowed to.
1.3 Understanding Authentication and Authorization The Process of Authentication • Methods: Username/password is the most common. Multi-factor authentication adds layers, like a text message code or fingerprint. • Session Management: After a user is authenticated, a session is established. This involves creating a session ID that is stored on the server and in the user's browser, usually in a cookie. This session ID is used to track the user's activities and state across multiple requests, eliminating the need to authenticate for every action. • Example: A user logs into an email service. Post-login, they can navigate through their inbox, send emails, etc., without needing to re-enter credentials, thanks to the session that's been established.
1.3 Understanding Authentication and Authorization Managing User Access with Authorization • Role-Based Access Control (RBAC): Users are assigned roles (like 'admin', 'editor', 'viewer'), and each role has specific permissions. This simplifies managing user permissions, especially in large applications. • Access Control Lists (ACLs): These are more granular, specifying exact users or groups and what they can access or do within the application. • Example: In a company's internal system, an 'admin' might have complete access to all features, while an 'editor' might only be able to modify content but not change system settings.
1.3 Understanding Authentication and Authorization Security Vulnerabilities in Authentication • Common Vulnerabilities: Weak passwords can be easily guessed or cracked. Session hijacking involves an attacker stealing a user's session ID to gain unauthorized access. • Best Practices: Enforce strong passwords, use HTTPS to secure data transmission, incorporate mechanisms like captcha to prevent automated login attempts.
1.3 Understanding Authentication and Authorization Securing Authorization Processes • Least Privilege Principle: Give users only the access they need to perform their tasks. This minimizes potential damage if an account is compromised. • Regular Audits: Periodically reviewing user roles and permissions to ensure they're still appropriate and making adjustments as necessary. • Secure Coding: Avoid security flaws like SQL Injection, which can allow attackers to bypass authorization checks by exploiting vulnerabilities in the application's code.
1.3 Understanding Authentication and Authorization Tools for Implementing Authentication and Authorization • Authentication Frameworks: OAuth is widely used for allowing users to log in with external accounts (like Google or Facebook). OpenID Connect is built on top of OAuth for more robust identity verification. • Authorization Models: JWT (JSON Web Tokens) are used for securely transmitting information between parties as a JSON object. SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data between parties, particularly in enterprise settings.
1.4 Web Communication Fundamentals of Web Communication • Overview: Web communication is the process of exchanging data between a client (usually a web browser) and a server over the internet. • Protocols: The rules and standards (HTTP, HTTPS) that govern how data is exchanged. • Significance: Understanding these basics is crucial for grasping how web applications function and ensuring effective and secure data transmission.
1.4 Web Communication HTTP and HTTPS: The Backbone of Web Communication • HTTP (Hypertext Transfer Protocol): The foundational protocol for the web, designed for transferring HTML and other web resources. • HTTPS (HTTP Secure): An extension of HTTP, it includes encryption (SSL/TLS) for secure communication. • Encryption in HTTPS: Discuss how HTTPS encrypts data to protect it from eavesdropping and tampering, making it essential for secure transactions like online banking or shopping.
2.1 Fundamentals of Web Application Security Security's Role: In web programming, security is crucial to protect sensitive data, maintain user trust, and comply with legal standards. Confidentiality, Integrity, Availability (CIA): • Confidentiality ensures that sensitive information is accessible only to authorized individuals. • Integrity means maintaining the accuracy and consistency of data. • Availability refers to ensuring that information and resources are available to those who need them. Consequences of Insecurity: Include data breaches, identity theft, financial loss, legal consequences, and damage to reputation.
2.2 Common Web Security Vulnerabilities SQL Injection: Occurs when attackers manipulate a website's database by inserting or "injecting" malicious SQL statements into a web form or via URL parameters. It can lead to unauthorized access and data breaches. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages that are then viewed by other users. These scripts can steal cookies, session tokens, or other sensitive information from users' browsers. Cross-Site Request Forgery (CSRF): An attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated, potentially compromising user data.
2.2 Secure Coding Practices Input Validation: Ensure all user input is validated for type, length, format, and range. This prevents malicious data from entering and affecting the system. Parameterized Queries: Use parameterized queries to prevent SQL injection. This means specifying the structure of a SQL query and passing each parameter as a value, not as part of the SQL string. Error Handling: Implement proper error handling that doesn't expose sensitive information. Provide generic error messages to users and log detailed errors for internal use.
3. Client-Side vs. Server-Side Client-Side (Front-End): Refers to the part of a web application that runs on the user's browser. Main focus: User interface and experience, including layout, design, interactivity, and navigation. Technologies: HTML, CSS, JavaScript, and front-end frameworks like React, Angular, or Vue.js.
Server-Side (Back-End): Involves the web server and database, handling the business logic of web applications. Main tasks: Data processing, storage, and retrieval; user authentication; server configuration. Technologies: Server-side languages like PHP, Java, Python, Ruby, .NET, and back-end frameworks like Node.js, Django, Ruby on Rails. 3. Client-Side vs. Server-Side
Client-Side Vulnerabilities • Cross-Site Scripting (XSS): Occurs when an attacker injects malicious scripts into content from a trusted website. This script is then executed in the user's browser, potentially leading to stolen cookies, session tokens, or other sensitive information. • Insecure Direct Object References (IDOR): This occurs when an application provides direct access to objects based on user input. As a result, attackers can bypass authorization and access data, such as database records or files, directly. 3. Client-Side vs. Server-Side
Server-Side Vulnerabilities • SQL Injection: Occurs when an attacker can insert a malicious SQL query as part of the input to a web application, manipulating the application's interaction with the database. • Broken Authentication: Weaknesses in session management and authentication mechanisms can allow attackers to compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users' identities. 3. Client-Side vs. Server-Side
Python's Role in Web Development: Python, known for its simplicity and readability, is widely used in web development for both server-side scripting and back-end development. Popular Frameworks: Django and Flask, which facilitate rapid development and clean, pragmatic design for web applications. Ecosystem and Libraries: Python's rich ecosystem, including numerous libraries and tools that support web development, data processing, and integration with databases. 4. Web Programming with Python
Implementing User Authentication in Python 4. Web Programming with Python
Guess the vulnerabilities in this piece of code ? 4. Web Programming with Python
4. Web Programming with Python Lack of Input Validation and Sanitization: The user input is not validated or sanitized, making the system vulnerable to SQL Injection attacks if connected to a database. Cross-Site Scripting (XSS): Using render_template_string with user-controlled input can lead to XSS vulnerabilities. An attacker could inject malicious scripts that will be executed in the browser of anyone viewing the rendered page.
• Web application security tools are essential for identifying and mitigating vulnerabilities. • Categories include Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), and Interactive Application Security Testing (IAST). • These tools are integrated into the software development lifecycle to ensure early and frequent detection of vulnerabilities. 5. Security Tools and Scanners
Static Analysis Security Testing (SAST) SAST tools analyze source code, byte code, or binary code for security flaws without executing the program. Examples: • SonarQube: Continuously inspects code quality to detect bugs, vulnerabilities, and code smells. • Fortify: Identifies software security vulnerabilities across multiple programming languages. • Checkmarx: Notable for its fast and accurate vulnerability detection. SAST tools are beneficial for early vulnerability identification in the development process. 5. Security Tools and Scanners
Dynamic Analysis Security Testing (DAST) DAST tools assess running applications to find security vulnerabilities. Examples: • OWASP ZAP: Offers automated scanners for various penetration testing needs. • Burp Suite: Advanced testing and scanning capabilities make it popular among security professionals. • Acunetix: Fast scanning and comprehensive vulnerability detection. DAST tools are effective for identifying runtime issues, including misconfigurations and authentication flaws. 5. Security Tools and Scanners
Interactive Application Security Testing (IAST) IAST combines static and dynamic analysis to identify vulnerabilities in real-time. Notable tools: • Veracode: Provides IAST solutions along with other security testing methods. • Contrast Security: Analyzes code in real-time through instrumentation, offering immediate feedback. IAST tools stand out for their high accuracy and capability to detect complex security issues. 5. Security Tools and Scanners
• OWASP, the Open Web Application Security Project, is a worldwide not-for-profit charitable organization focused on improving the security of software. • It operates as a community of like-minded professionals, including software developers, security experts, and enthusiasts, who contribute to various open-source projects, documentation, tools, and forums. • OWASP's guiding principle is that all of its materials should be freely accessible and open to anyone interested in improving application security. 6. OWASP
OWASP Top Ten - A Standard Awareness Document • The OWASP Top Ten is a regularly-updated report outlining the ten most critical web application security risks. It's widely considered as one of the most authoritative lists of major risks associated with web security. • For example, the 2021 list includes risks like Broken Access Control, Cryptographic Failures, Injection Flaws, Insecure Design, and Security Misconfiguration. • 2023 list includes risk like Broken Object Level Authorization, Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization. 6. OWASP
Exploring OWASP Projects and Resources • OWASP hosts a variety of application security tools and resources. Projects like ZAP (Zed Attack Proxy), a highly popular tool for finding vulnerabilities in web applications, are integral to security testing. • WebGoat, another OWASP project, is an intentionally insecure web application designed for educational purposes, helping developers understand web application security. • OWASP also provides comprehensive documentation like the Application Security Verification Standard (ASVS), a framework for securing web applications, and the Testing Guide, offering best practices for security testing. 6. OWASP
• Overview of web security concepts and their importance in modern web development. • Understanding the threats and vulnerabilities that web applications face. • Explanation of web application architecture, including client-server models. • Critical aspect of security in web programming, discussing common vulnerabilities, secure coding practices. Summary
• Specific vulnerabilities were highlighted for both client-side (like XSS, CSRF, and Clickjacking) and server-side (such as SQL Injection, Broken Authentication, and Sensitive Data Exposure). • Detailed exploration of common web programming tasks, focusing on Python for examples. • Overview of various security tools and scanners used in web application security. • Comprehensive overview of the Open Web Application Security Project (OWASP) and its contributions to web security. Summary

More Related Content

PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
PDF
A security note for web developers
byJohn Ombagi
 
PPT
Andrews whitakrer lecture18-security.ppt
bySilverGold16
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PDF
Web Application Penetration Testing Course in 2025.pdf
bydaksh908982
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
A security note for web developers
byJohn Ombagi
 
Andrews whitakrer lecture18-security.ppt
bySilverGold16
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Web Application Penetration Testing Course in 2025.pdf
bydaksh908982
 

Similar to Web SecurityWeb SecurityWeb SecurityWeb Security

PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PPTX
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
PDF
Web application security the fast guide
byDr.Sami Khiami
 
PDF
IRJET- Survey on Web Application Vulnerabilities
byIRJET Journal
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PDF
Web application security I
byMd Syed Ahamad
 
PDF
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
PDF
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
PDF
Best Security Practices for Web Application Development.pdf
byDigital Auxilio Technologies
 
PPSX
Web security
bykareem zock
 
DOCX
Unit 5 Web Application and Hacking Techniques.docx
byGuna Dhondwad
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPTX
Web Security
byAli Habeeb
 
PDF
Web application sec_3
byvhimsikal
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
Web vulnerabilities
byKrishna Gehlot
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PPTX
Security guidelines for web development
bykumar gaurav
 
SCWCD : Secure web
byBen Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
Web application security the fast guide
byDr.Sami Khiami
 
IRJET- Survey on Web Application Vulnerabilities
byIRJET Journal
 
CyberSecurityppt. pptx
byiamayesha2526
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
Web application security I
byMd Syed Ahamad
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
Best Security Practices for Web Application Development.pdf
byDigital Auxilio Technologies
 
Web security
bykareem zock
 
Unit 5 Web Application and Hacking Techniques.docx
byGuna Dhondwad
 
Secure code practices
byHina Rawal
 
Owasp top 10 2017
byibrahimumer2
 
Web Security
byAli Habeeb
 
Web application sec_3
byvhimsikal
 
Owasp top 10 2013
byEdouard de Lansalut
 
Web vulnerabilities
byKrishna Gehlot
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Security guidelines for web development
bykumar gaurav
 

More from user201002adobe

PPTX
1444_CT_IAP491_01_Slides_Capstone_Project.pptx
byuser201002adobe
 
PPTX
Smart TestingSmart TestingSmart TestingSmart Testing
byuser201002adobe
 
PPTX
securitytestingsecuritytestingsecuritytesting
byuser201002adobe
 
PPTX
Smart Testing_Chapter 2Smart Testing_Chapter 2
byuser201002adobe
 
PPT
Selenium_Course_ContentSelenium_Course_Content
byuser201002adobe
 
PPTX
IntroductionIntroductionIntroductionIntroduction
byuser201002adobe
 
PPTX
cypress-200123114412.cypress-200123114412.
byuser201002adobe
 
PPT
topic12topic12topic12topic12topic12topic12
byuser201002adobe
 
PPTX
Chapter 8Chapter 8Chapter 8Chapter 8Chapter 8
byuser201002adobe
 
PPTX
Chapter 11Chapter 11Chapter 11Chapter 11
byuser201002adobe
 
PPTX
Chapter 2Chapter 2Chapter 2Chapter 2Chapter 2
byuser201002adobe
 
PPT
Thuc trang ATTT Thuc trang ATTT.Thuc trang ATTT.
byuser201002adobe
 
PPT
Session2Session2Session2Session2Session2.ppt
byuser201002adobe
 
PPT
chuong_2_cac_mo_hinh_ptpmchuong_2_cac_mo_hinh_ptpm
byuser201002adobe
 
PPTX
F-Hacker2025F-Hacker2025F-Hacker2025F-Hacker2025
byuser201002adobe
 
PPTX
scb2013--_owasptop10-2013-131028002253-phpapp02_(1)-10082017104949
byuser201002adobe
 
PPTX
scb2013--_owasptop10-2013-131028002253-phpapp02_(1)-10082017104949
byuser201002adobe
 
PPTX
Effectivee_Studyy_Methods_InfoSeccc.pptx
byuser201002adobe
 
PPTX
SQL-Injection-Hieu-va-Phongb-Chonga.pptx
byuser201002adobe
 
PPTX
Brown and Yellow Brainstorm Presentation
byuser201002adobe
 
1444_CT_IAP491_01_Slides_Capstone_Project.pptx
byuser201002adobe
 
Smart TestingSmart TestingSmart TestingSmart Testing
byuser201002adobe
 
securitytestingsecuritytestingsecuritytesting
byuser201002adobe
 
Smart Testing_Chapter 2Smart Testing_Chapter 2
byuser201002adobe
 
Selenium_Course_ContentSelenium_Course_Content
byuser201002adobe
 
IntroductionIntroductionIntroductionIntroduction
byuser201002adobe
 
cypress-200123114412.cypress-200123114412.
byuser201002adobe
 
topic12topic12topic12topic12topic12topic12
byuser201002adobe
 
Chapter 8Chapter 8Chapter 8Chapter 8Chapter 8
byuser201002adobe
 
Chapter 11Chapter 11Chapter 11Chapter 11
byuser201002adobe
 
Chapter 2Chapter 2Chapter 2Chapter 2Chapter 2
byuser201002adobe
 
Thuc trang ATTT Thuc trang ATTT.Thuc trang ATTT.
byuser201002adobe
 
Session2Session2Session2Session2Session2.ppt
byuser201002adobe
 
chuong_2_cac_mo_hinh_ptpmchuong_2_cac_mo_hinh_ptpm
byuser201002adobe
 
F-Hacker2025F-Hacker2025F-Hacker2025F-Hacker2025
byuser201002adobe
 
scb2013--_owasptop10-2013-131028002253-phpapp02_(1)-10082017104949
byuser201002adobe
 
scb2013--_owasptop10-2013-131028002253-phpapp02_(1)-10082017104949
byuser201002adobe
 
Effectivee_Studyy_Methods_InfoSeccc.pptx
byuser201002adobe
 
SQL-Injection-Hieu-va-Phongb-Chonga.pptx
byuser201002adobe
 
Brown and Yellow Brainstorm Presentation
byuser201002adobe
 

Recently uploaded

PDF
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PPTX
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PDF
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
PPTX
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PPTX
Essay Type Answer Writing Analysis Workshop.pptx
byDhatriParmar
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
PPTX
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
PDF
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
PDF
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PPTX
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
PPTX
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
PPTX
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
PDF
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
Essay Type Answer Writing Analysis Workshop.pptx
byDhatriParmar
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 

Web SecurityWeb SecurityWeb SecurityWeb Security

  • 1.
    Chapter 1: WebSecurity Introduction
  • 2.
    Key concept • Howthe web application works - What is a Web Application? - Components of a Web Application - Authentication and Authorization - Web Communication Basics • Web Application Security - Fundamentals of Web Application Security - Common Web Security Vulnerabilities - Secure Coding Practices • Client-Side vs. Server-Side
  • 3.
    Key concept • WebProgramming with Python • Security Tools and Scanners • OSWAP and others
  • 4.
    1.1 What isa Web Application? • A web application is a software program that is stored on a remote server (or local) and delivered over the Internet (or LAN) through a browser interface. Unlike traditional desktop applications, which are launched by your operating system, web apps must be accessed through a web browser.
  • 5.
    1.1 What isa Web Application? • Accessibility: Web applications can be accessed anytime, anywhere, as long as there is an internet connection, unlike desktop applications that are installed on a specific device. • Cross-Platform Compatibility: They work across multiple platforms regardless of the operating system or device, as long as the browser is compatible. • Interactivity: Allows users to interact and manipulate the data. For example, users can enter data, which is then processed and stored, and the output is returned in real-time.
  • 6.
    1.1 What isa Web Application? • Widespread Impact: When a web application is accessible across multiple platforms, any security vulnerabilities present in the application potentially impact a broader range of users and devices. A single exploit can affect users on different operating systems, browsers, and devices.
  • 7.
    1.2 Key Componentsof a Web Application Three primary components of a web application: • The Front-End (Client-Side), • The Back-End (Server-Side), • The Database.
  • 8.
    1.3 Understanding Authenticationand Authorization • Authentication: Verifying the identity of a user, typically through login credentials. It's the first step in any secure process, ensuring that the user is who they claim to be. • Authorization: Determines what an authenticated user can access and do. It's about granting or denying permissions and access to resources within the application. • Importance: Both are essential for securing web applications, protecting sensitive data, and ensuring that users can only access what they're allowed to.
  • 9.
    1.3 Understanding Authenticationand Authorization The Process of Authentication • Methods: Username/password is the most common. Multi-factor authentication adds layers, like a text message code or fingerprint. • Session Management: After a user is authenticated, a session is established. This involves creating a session ID that is stored on the server and in the user's browser, usually in a cookie. This session ID is used to track the user's activities and state across multiple requests, eliminating the need to authenticate for every action. • Example: A user logs into an email service. Post-login, they can navigate through their inbox, send emails, etc., without needing to re-enter credentials, thanks to the session that's been established.
  • 10.
    1.3 Understanding Authenticationand Authorization Managing User Access with Authorization • Role-Based Access Control (RBAC): Users are assigned roles (like 'admin', 'editor', 'viewer'), and each role has specific permissions. This simplifies managing user permissions, especially in large applications. • Access Control Lists (ACLs): These are more granular, specifying exact users or groups and what they can access or do within the application. • Example: In a company's internal system, an 'admin' might have complete access to all features, while an 'editor' might only be able to modify content but not change system settings.
  • 11.
    1.3 Understanding Authenticationand Authorization Security Vulnerabilities in Authentication • Common Vulnerabilities: Weak passwords can be easily guessed or cracked. Session hijacking involves an attacker stealing a user's session ID to gain unauthorized access. • Best Practices: Enforce strong passwords, use HTTPS to secure data transmission, incorporate mechanisms like captcha to prevent automated login attempts.
  • 12.
    1.3 Understanding Authenticationand Authorization Securing Authorization Processes • Least Privilege Principle: Give users only the access they need to perform their tasks. This minimizes potential damage if an account is compromised. • Regular Audits: Periodically reviewing user roles and permissions to ensure they're still appropriate and making adjustments as necessary. • Secure Coding: Avoid security flaws like SQL Injection, which can allow attackers to bypass authorization checks by exploiting vulnerabilities in the application's code.
  • 13.
    1.3 Understanding Authenticationand Authorization Tools for Implementing Authentication and Authorization • Authentication Frameworks: OAuth is widely used for allowing users to log in with external accounts (like Google or Facebook). OpenID Connect is built on top of OAuth for more robust identity verification. • Authorization Models: JWT (JSON Web Tokens) are used for securely transmitting information between parties as a JSON object. SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data between parties, particularly in enterprise settings.
  • 14.
    1.4 Web Communication Fundamentalsof Web Communication • Overview: Web communication is the process of exchanging data between a client (usually a web browser) and a server over the internet. • Protocols: The rules and standards (HTTP, HTTPS) that govern how data is exchanged. • Significance: Understanding these basics is crucial for grasping how web applications function and ensuring effective and secure data transmission.
  • 15.
    1.4 Web Communication HTTPand HTTPS: The Backbone of Web Communication • HTTP (Hypertext Transfer Protocol): The foundational protocol for the web, designed for transferring HTML and other web resources. • HTTPS (HTTP Secure): An extension of HTTP, it includes encryption (SSL/TLS) for secure communication. • Encryption in HTTPS: Discuss how HTTPS encrypts data to protect it from eavesdropping and tampering, making it essential for secure transactions like online banking or shopping.
  • 16.
    2.1 Fundamentals ofWeb Application Security Security's Role: In web programming, security is crucial to protect sensitive data, maintain user trust, and comply with legal standards. Confidentiality, Integrity, Availability (CIA): • Confidentiality ensures that sensitive information is accessible only to authorized individuals. • Integrity means maintaining the accuracy and consistency of data. • Availability refers to ensuring that information and resources are available to those who need them. Consequences of Insecurity: Include data breaches, identity theft, financial loss, legal consequences, and damage to reputation.
  • 17.
    2.2 Common WebSecurity Vulnerabilities SQL Injection: Occurs when attackers manipulate a website's database by inserting or "injecting" malicious SQL statements into a web form or via URL parameters. It can lead to unauthorized access and data breaches. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages that are then viewed by other users. These scripts can steal cookies, session tokens, or other sensitive information from users' browsers. Cross-Site Request Forgery (CSRF): An attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated, potentially compromising user data.
  • 18.
    2.2 Secure CodingPractices Input Validation: Ensure all user input is validated for type, length, format, and range. This prevents malicious data from entering and affecting the system. Parameterized Queries: Use parameterized queries to prevent SQL injection. This means specifying the structure of a SQL query and passing each parameter as a value, not as part of the SQL string. Error Handling: Implement proper error handling that doesn't expose sensitive information. Provide generic error messages to users and log detailed errors for internal use.
  • 19.
    3. Client-Side vs.Server-Side Client-Side (Front-End): Refers to the part of a web application that runs on the user's browser. Main focus: User interface and experience, including layout, design, interactivity, and navigation. Technologies: HTML, CSS, JavaScript, and front-end frameworks like React, Angular, or Vue.js.
  • 20.
    Server-Side (Back-End): Involves theweb server and database, handling the business logic of web applications. Main tasks: Data processing, storage, and retrieval; user authentication; server configuration. Technologies: Server-side languages like PHP, Java, Python, Ruby, .NET, and back-end frameworks like Node.js, Django, Ruby on Rails. 3. Client-Side vs. Server-Side
  • 21.
    Client-Side Vulnerabilities • Cross-SiteScripting (XSS): Occurs when an attacker injects malicious scripts into content from a trusted website. This script is then executed in the user's browser, potentially leading to stolen cookies, session tokens, or other sensitive information. • Insecure Direct Object References (IDOR): This occurs when an application provides direct access to objects based on user input. As a result, attackers can bypass authorization and access data, such as database records or files, directly. 3. Client-Side vs. Server-Side
  • 22.
    Server-Side Vulnerabilities • SQLInjection: Occurs when an attacker can insert a malicious SQL query as part of the input to a web application, manipulating the application's interaction with the database. • Broken Authentication: Weaknesses in session management and authentication mechanisms can allow attackers to compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users' identities. 3. Client-Side vs. Server-Side
  • 23.
    Python's Role inWeb Development: Python, known for its simplicity and readability, is widely used in web development for both server-side scripting and back-end development. Popular Frameworks: Django and Flask, which facilitate rapid development and clean, pragmatic design for web applications. Ecosystem and Libraries: Python's rich ecosystem, including numerous libraries and tools that support web development, data processing, and integration with databases. 4. Web Programming with Python
  • 24.
  • 25.
    Guess the vulnerabilities in thispiece of code ? 4. Web Programming with Python
  • 26.
    4. Web Programmingwith Python Lack of Input Validation and Sanitization: The user input is not validated or sanitized, making the system vulnerable to SQL Injection attacks if connected to a database. Cross-Site Scripting (XSS): Using render_template_string with user-controlled input can lead to XSS vulnerabilities. An attacker could inject malicious scripts that will be executed in the browser of anyone viewing the rendered page.
  • 27.
    • Web applicationsecurity tools are essential for identifying and mitigating vulnerabilities. • Categories include Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), and Interactive Application Security Testing (IAST). • These tools are integrated into the software development lifecycle to ensure early and frequent detection of vulnerabilities. 5. Security Tools and Scanners
  • 28.
    Static Analysis SecurityTesting (SAST) SAST tools analyze source code, byte code, or binary code for security flaws without executing the program. Examples: • SonarQube: Continuously inspects code quality to detect bugs, vulnerabilities, and code smells. • Fortify: Identifies software security vulnerabilities across multiple programming languages. • Checkmarx: Notable for its fast and accurate vulnerability detection. SAST tools are beneficial for early vulnerability identification in the development process. 5. Security Tools and Scanners
  • 29.
    Dynamic Analysis SecurityTesting (DAST) DAST tools assess running applications to find security vulnerabilities. Examples: • OWASP ZAP: Offers automated scanners for various penetration testing needs. • Burp Suite: Advanced testing and scanning capabilities make it popular among security professionals. • Acunetix: Fast scanning and comprehensive vulnerability detection. DAST tools are effective for identifying runtime issues, including misconfigurations and authentication flaws. 5. Security Tools and Scanners
  • 30.
    Interactive Application SecurityTesting (IAST) IAST combines static and dynamic analysis to identify vulnerabilities in real-time. Notable tools: • Veracode: Provides IAST solutions along with other security testing methods. • Contrast Security: Analyzes code in real-time through instrumentation, offering immediate feedback. IAST tools stand out for their high accuracy and capability to detect complex security issues. 5. Security Tools and Scanners
  • 31.
    • OWASP, theOpen Web Application Security Project, is a worldwide not-for-profit charitable organization focused on improving the security of software. • It operates as a community of like-minded professionals, including software developers, security experts, and enthusiasts, who contribute to various open-source projects, documentation, tools, and forums. • OWASP's guiding principle is that all of its materials should be freely accessible and open to anyone interested in improving application security. 6. OWASP
  • 32.
    OWASP Top Ten- A Standard Awareness Document • The OWASP Top Ten is a regularly-updated report outlining the ten most critical web application security risks. It's widely considered as one of the most authoritative lists of major risks associated with web security. • For example, the 2021 list includes risks like Broken Access Control, Cryptographic Failures, Injection Flaws, Insecure Design, and Security Misconfiguration. • 2023 list includes risk like Broken Object Level Authorization, Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization. 6. OWASP
  • 33.
    Exploring OWASP Projectsand Resources • OWASP hosts a variety of application security tools and resources. Projects like ZAP (Zed Attack Proxy), a highly popular tool for finding vulnerabilities in web applications, are integral to security testing. • WebGoat, another OWASP project, is an intentionally insecure web application designed for educational purposes, helping developers understand web application security. • OWASP also provides comprehensive documentation like the Application Security Verification Standard (ASVS), a framework for securing web applications, and the Testing Guide, offering best practices for security testing. 6. OWASP
  • 34.
    • Overview ofweb security concepts and their importance in modern web development. • Understanding the threats and vulnerabilities that web applications face. • Explanation of web application architecture, including client-server models. • Critical aspect of security in web programming, discussing common vulnerabilities, secure coding practices. Summary
  • 35.
    • Specific vulnerabilitieswere highlighted for both client-side (like XSS, CSRF, and Clickjacking) and server-side (such as SQL Injection, Broken Authentication, and Sensitive Data Exposure). • Detailed exploration of common web programming tasks, focusing on Python for examples. • Overview of various security tools and scanners used in web application security. • Comprehensive overview of the Open Web Application Security Project (OWASP) and its contributions to web security. Summary