Web Application Security
Intro to Web Application Security
ITC 766-899
WEB APPLICATION SECURITY
Spring 2022
Dr. Ravi Thambusamy
Information Technology and Cybersecurity
College of Business
Missouri State University
1
Outline
What is WWW?
How is the WWW different from the Internet?
What is an application?
What is a web application?
Web application examples
What technologies are needed to make a web application work?
2
Outline
How does a web application work?
What is the need for web application security?
How is web application security different from network security?
What is the OWASP top ten list?
3
What is WWW?
4
WWW is an acronym for the World Wide Web
It was created by Tim Berners-Lee
It is a collection of web pages using hypertext
It can be accessed from a computer, smartphone, and even an automobile
It is not the same as the Internet
Technologies needed: web server, browser, domain naming system, website address, HTTP, HTML, CSS, JavaScript, etc.
What is WWW? (contd.)
5
What is the world wide web? – Twila Camp
What is WWW? (contd.)
Source: TED-Ed https://www.youtube.com/watch?v=J8hzJxb0rpc
6
A brief history of the WWW by CERN
What is WWW? (contd.)
Source: CERN https://www.youtube.com/watch?v=sSqZ_hJu9zA
7
How is WWW different from the Internet?
8
WWW is a collection of web pages
The Internet is a network of networks
The Internet allows access to the web
However, the web is just a subset of traffic that can go back and forth on the Internet
Other types of traffic on the Internet include email (SMTP), file transfer (FTP, P2P, etc.), network management (SNMP, DHCP, etc.)
How is WWW different from the Internet?
9
What is an Application?
10
An application is a type of software that is designed to execute particular tasks based on events triggered by end user interactions with the application
It is typically an executable
It is not the same as operating system software
It is also not the same as hardware
An application can be a standalone application, a web store app, a web application, or a web service
What is an Application?
11
What is a Web Application?
12
A web application is an application that is hosted on a web server and can be accessed by a client using a browser
It utilizes the client–server architecture
It is non-native and does not need to be installed on the client’s computer
It will need an active Internet connection to run
It is not the same as a static webpage
It must be interactive to the end user
What is a Web Application?
13
Web Application Examples
14
Web application examples include the following:
Web search engines (example: Google, Yahoo!, etc.)
Online marketplaces (example: Amazon, eBay, etc.)
Online social networks (example: Twitter, Instagram, etc.)
Online banking (example: Bank of America, Chase, etc.)
Online utilities (example: Google Maps, FlightAware, etc.)
Web Application Examples
15
Web application examples include the following:
Online news sites (example: nbcnews.com, abcnews.go.com, etc.)
Online weather sites (example: weather.com, accuweather.com, etc.)
Online tax services (example: TurboTax, TaxSlayer, etc.)
Online fundraising sites (example: GoFundMe, FUNDLY, etc.)
Online document management sites (example: Google G Suite, Microsoft Office 365
Web Application Examples (contd.)
16
Web Application Technologies
17
Technologies needed to deploy web applications:
Web server that hosts the web application
Browser installed on the client’s device that requests the web application
Internet to connect the client to the server and to transfer data back and forth between the two
Website address to type in as a Uniform Resource Location (URL) on the browser to access the web application
Web Application Technologies
18
Technologies needed:
Domain Name System (DNS) servers which translate the website address (URL) to an Internet Protocol (IP) address and vice versa
HyperText Transfer Protocol (HTTP) that specifies the communication language for sending and receiving data between the client and the server
Code files written using HTML, CSS, JavaScript, Java, C#, AJAX, etc. that execute the business logic portion of the web application
Web Application Technologies (contd.)
19
How does a Web Application Work?
20
How does a Web Application Work?
21
Client types in web application URL into the browser
The browser looks up the web application’s IP address using the DNS
The browser then uses this IP address to send an HTTP request message to the web server which hosts the web application
This HTTP request message is sent to the web server using the client’s Internet connection
The web server receives the HTTP request made by the client
The web server then authenticates the client based on the client-supplied credentials
The web server then sends an HTTP response header with the response code 200 for a successful request along with the response body in the form of packets back to the client using the Internet
On successful authentication, the web server authorizes the client’s access to the requested web application
The browser parses the information sent from the web server and uses HTML/CSS/JavaScript, etc. to assemble and display the web application to the client
What is the need for Web Application Security?
22
Executive Summary from the Verizon 2021 Data Breach Investigations Report (DBIR)
Web application security is a growing concern among organizations (Verizon DBIR, 2021)
Web application attacks were among the top 3 patterns in the following industries (Verizon DBIR, 2021)
Accommodation & Food Services, Arts, Entertainment & Recreation, Financial & Insurance, Healthcare, Information, Manufacturing, Mining, Quarrying, Oil & Gas Extraction + Utilities, Professional, Scientific & Technical Services, and Retail
What is the need for Web Application Security?
23
Source: Verizon 2021 Data Breach Investigations Report (DBIR) https://enterprise.verizon.com/resources/reports/dbir/2021/results-and-analysis/
What is the need for Web Application Security? (contd.)
Web application leads the top hacking action vectors (Verizon DBIR, 2021):
24
What is the need for Web Application Security? (contd.)
Source: Verizon 2019 Data Breach Investigations Report (DBIR) https://www.verizon.com/business/resources/executivebriefs/2019-dbir-executive-brief.pdf
Web application incidents and breaches by industry (Verizon DBIR, 2019):
25
Web Application Security vs. Network Security
26
Web Application Security vs. Network Security
Source: 2021 Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021 https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem
27
| Web Application Security | Network Security |
| Focuses on vulnerabilities in web applications | Focuses on vulnerabilities in infrastructure (servers, clients, routers, switches, firewalls, intrusion detection/prevention systems |
| Focuses on the Application Layer in the 7-layer Open Systems Interconnected (OSI) model | Focuses on the Transport, Network, Data Link, and Physical Layers in the 7-layer OSI model |
| Web application security issues are identified using the Common Weakness Enumeration (CWE) list | Network security issues are identified using the Common Vulnerabilities and Exposures (CVE) list |
| The total number of weaknesses in the CWE List version 4.6 is 924 (Mitre, 2022) | The total number of vulnerabilities in the current CVE List is 168,222 (Mitre, 2020) |
| Organizations are not focusing enough on this | Focus of most organizations |
Web Application Security vs. Network Security (contd.)
28
The OWASP Top 10 List
29
OWASP is an acronym for Open Web Application Security Project
OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted” (About the OWASP Foundation, para 2, 2022)
Non-profit organization incorporated in 2004
The OWASP Top 10 List
30
The OWASP Top 10 is “a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications” (OWASP Top 10, para 1, 2022)
Serves as a starting point for organizations seeking to mitigate the risks associated with their web applications
The OWASP Top 10 List (contd.)
31
The OWASP Top 10 Web Application Security Risks (2017 Version):
The OWASP Top 10 List (contd.)
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
Source: 2017 Top 10 – OWASP
https://owasp.org/www-project-top-ten/2017/Top_10.html
32
The OWASP Top 10 Web Application Security Risks (2017 to 2021 Mapping):
The OWASP Top 10 List (contd.)
Source: OWASP Top 10 https://owasp.org/www-project-top-ten/
33
WWW is not the same as the Internet
Web applications are here to stay
Web application technologies are not without flaws
The Verizon 2021 DBIR highlights the need for web application security
Web application security is different from network security
The OWASP Top 10 List is a good starting point for organizations looking to secure their web applications
Recap
34
Thank you!!!
35