Web Application Security
Review the attached slides to summaries week 1 of 2 and week 2 of 2
The quantity and quality of new insights from your own independent research/experience
Adherence to page limits, font, font-size, line spacing, and margins
Use of at least 2 new references
Reputation of the reference sources
Use of in-text citations with matching references and vice-versa
Appropriateness of the use of the APA format for both in-text citations and references.
Please see the attachment.
Research Notes – Instructions
Research Notes Requirements:
Having Trouble Meeting Your Deadline?
Get your assignment on Web Application Security completed on time. avoid delay and – ORDER NOW
You will required to complete 5 self-study research notes in this course. Each research note will cover course materials from a 2-week period. All 5 research notes are due before midnight (11:59 p.m.) on their respective due dates (see Course Schedule or Calendar on Blackboard for due dates for each research note) on Blackboard (Please do not email me your research notes). The research notes are designed to help you review the course materials and to synthesize the course material with insights from your own research/experience.
Here are the requirements for each research note:
1. Page limits: Each research note must be 1 page (minimum) to 2 pages (maximum) long (Times New Roman, 12-pt font, single-line spacing, 1-inch margins)
2. Research note structure and recommended page lengths: Use the following structure and page lengths recommendations in the research note:
a) Summary of course materials from week 1 of 2 and week 2 of 2 – Summaries must be in paragraph format. Do not use a list with bullet points to summarize course materials. Summaries must be your own paraphrasing of the course materials. Do not copy and paste information from the slides or the articles linked to in the slides to create your summaries. There is no need to cite the PowerPoint slides. However, if you are using information from an article/video linked to in the slides, then you will need to cite it. Recommended minimum page length: ½ of a page.
b) Additional insights based on your own research/experience – Do some additional research online and present new insights related to the topics covered in both weeks. Present at least 2 new insights in this section. You should not copy and paste from online resources. You must give proper credit to the source. This means adding both in-text citations in your paragraphs and adding a reference section at the end of your research note. Use the APA citation format for both in-text citations and references. Recommended minimum page length: ½ of a page.
c) References – You must include at least 2 new references (not including the ones from the slides/videos posted on Blackboard) as a part of your research note. Please make sure that you cite reputed resources and avoid using resources such as Wikipedia as your reference source. If you are not sure of whether or not to use a resource as a reference, send me the information by email and I will let you know whether or not to use the resource as a reference. The references section must also be in APA format.
Grading Guidelines:
Each research note will be graded based on the following criteria:
Completeness of your summaries from week 1 of 2 and week 2 of 2
The quantity and quality of new insights from your own independent research/experience
Adherence to page limits, font, font-size, line spacing, and margins
Use of at least 2 new references
Reputation of the reference sources
Use of in-text citations with matching references and vice-versa
Appropriateness of the use of the APA format for both in-text citations and references
,
Intro to Web Application Security
ITC 766-899
WEB APPLICATION SECURITY
Spring 2022
Dr. Ravi Thambusamy
Information Technology and Cybersecurity
College of Business
Missouri State University
1
Outline
What is WWW?
How is the WWW different from the Internet?
What is an application?
What is a web application?
Web application examples
What technologies are needed to make a web application work?
2
Outline
How does a web application work?
What is the need for web application security?
How is web application security different from network security?
What is the OWASP top ten list?
3
What is WWW?
4
WWW is an acronym for the World Wide Web
It was created by Tim Berners-Lee
It is a collection of web pages using hypertext
It can be accessed from a computer, smartphone, and even an automobile
It is not the same as the Internet
Technologies needed: web server, browser, domain naming system, website address, HTTP, HTML, CSS, JavaScript, etc.
What is WWW? (contd.)
5
What is the world wide web? – Twila Camp
What is WWW? (contd.)
Source: TED-Ed https://www.youtube.com/watch?v=J8hzJxb0rpc
6
A brief history of the WWW by CERN
What is WWW? (contd.)
Source: CERN https://www.youtube.com/watch?v=sSqZ_hJu9zA
7
How is WWW different from the Internet?
8
WWW is a collection of web pages
The Internet is a network of networks
The Internet allows access to the web
However, the web is just a subset of traffic that can go back and forth on the Internet
Other types of traffic on the Internet include email (SMTP), file transfer (FTP, P2P, etc.), network management (SNMP, DHCP, etc.)
How is WWW different from the Internet?
9
What is an Application?
10
An application is a type of software that is designed to execute particular tasks based on events triggered by end user interactions with the application
It is typically an executable
It is not the same as operating system software
It is also not the same as hardware
An application can be a standalone application, a web store app, a web application, or a web service
What is an Application?
11
What is a Web Application?
12
A web application is an application that is hosted on a web server and can be accessed by a client using a browser
It utilizes the client–server architecture
It is non-native and does not need to be installed on the client’s computer
It will need an active Internet connection to run
It is not the same as a static webpage
It must be interactive to the end user
What is a Web Application?
13
Web Application Examples
14
Web application examples include the following:
Web search engines (example: Google, Yahoo!, etc.)
Online marketplaces (example: Amazon, eBay, etc.)
Online social networks (example: Twitter, Instagram, etc.)
Online banking (example: Bank of America, Chase, etc.)
Online utilities (example: Google Maps, FlightAware, etc.)
Web Application Examples
15
Web application examples include the following:
Online news sites (example: nbcnews.com, abcnews.go.com, etc.)
Online weather sites (example: weather.com, accuweather.com, etc.)
Online tax services (example: TurboTax, TaxSlayer, etc.)
Online fundraising sites (example: GoFundMe, FUNDLY, etc.)
Online document management sites (example: Google G Suite, Microsoft Office 365
Web Application Examples (contd.)
16
Web Application Technologies
17
Technologies needed to deploy web applications:
Web server that hosts the web application
Browser installed on the client’s device that requests the web application
Internet to connect the client to the server and to transfer data back and forth between the two
Website address to type in as a Uniform Resource Location (URL) on the browser to access the web application
Web Application Technologies
18
Technologies needed:
Domain Name System (DNS) servers which translate the website address (URL) to an Internet Protocol (IP) address and vice versa
HyperText Transfer Protocol (HTTP) that specifies the communication language for sending and receiving data between the client and the server
Code files written using HTML, CSS, JavaScript, Java, C#, AJAX, etc. that execute the business logic portion of the web application
Web Application Technologies (contd.)
19
How does a Web Application Work?
20
How does a Web Application Work?
21
Client types in web application URL into the browser
The browser looks up the web application’s IP address using the DNS
The browser then uses this IP address to send an HTTP request message to the web server which hosts the web application
This HTTP request message is sent to the web server using the client’s Internet connection
The web server receives the HTTP request made by the client
The web server then authenticates the client based on the client-supplied credentials
The web server then sends an HTTP response header with the response code 200 for a successful request along with the response body in the form of packets back to the client using the Internet
On successful authentication, the web server authorizes the client’s access to the requested web application
The browser parses the information sent from the web server and uses HTML/CSS/JavaScript, etc. to assemble and display the web application to the client
What is the need for Web Application Security?
22
Executive Summary from the Verizon 2021 Data Breach Investigations Report (DBIR)
Web application security is a growing concern among organizations (Verizon DBIR, 2021)
Web application attacks were among the top 3 patterns in the following industries (Verizon DBIR, 2021)
Accommodation & Food Services, Arts, Entertainment & Recreation, Financial & Insurance, Healthcare, Information, Manufacturing, Mining, Quarrying, Oil & Gas Extraction + Utilities, Professional, Scientific & Technical Services, and Retail
What is the need for Web Application Security?
23
Source: Verizon 2021 Data Breach Investigations Report (DBIR) https://enterprise.verizon.com/resources/reports/dbir/2021/results-and-analysis/
What is the need for Web Application Security? (contd.)
Web application leads the top hacking action vectors (Verizon DBIR, 2021):
24
What is the need for Web Application Security? (contd.)
Source: Verizon 2019 Data Breach Investigations Report (DBIR) https://www.verizon.com/business/resources/executivebriefs/2019-dbir-executive-brief.pdf
Web application incidents and breaches by industry (Verizon DBIR, 2019):
25
Web Application Security vs. Network Security
26
Web Application Security vs. Network Security
Source: 2021 Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021 https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem
27
| Web Application Security | Network Security |
| Focuses on vulnerabilities in web applications | Focuses on vulnerabilities in infrastructure (servers, clients, routers, switches, firewalls, intrusion detection/prevention systems |
| Focuses on the Application Layer in the 7-layer Open Systems Interconnected (OSI) model | Focuses on the Transport, Network, Data Link, and Physical Layers in the 7-layer OSI model |
| Web application security issues are identified using the Common Weakness Enumeration (CWE) list | Network security issues are identified using the Common Vulnerabilities and Exposures (CVE) list |
| The total number of weaknesses in the CWE List version 4.6 is 924 (Mitre, 2022) | The total number of vulnerabilities in the current CVE List is 168,222 (Mitre, 2020) |
| Organizations are not focusing enough on this | Focus of most organizations |
Web Application Security vs. Network Security (contd.)
28
The OWASP Top 10 List
29
OWASP is an acronym for Open Web Application Security Project
OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted” (About the OWASP Foundation, para 2, 2022)
Non-profit organization incorporated in 2004
The OWASP Top 10 List
30
The OWASP Top 10 is “a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications” (OWASP Top 10, para 1, 2022)
Serves as a starting point for organizations seeking to mitigate the risks associated with their web applications
The OWASP Top 10 List (contd.)
31
The OWASP Top 10 Web Application Security Risks (2017 Version):
The OWASP Top 10 List (contd.)
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
Source: 2017 Top 10 – OWASP
https://owasp.org/www-project-top-ten/2017/Top_10.html
32
The OWASP Top 10 Web Application Security Risks (2017 to 2021 Mapping):
The OWASP Top 10 List (contd.)
Source: OWASP Top 10 https://owasp.org/www-project-top-ten/
33
WWW is not the same as the Internet
Web applications are here to stay
Web application technologies are not without flaws
The Verizon 2021 DBIR highlights the need for web application security
Web application security is different from network security
The OWASP Top 10 List is a good starting point for organizations looking to secure their web applications
Recap
34
Thank you!!!
35
,
Web Application Technologies – An In-Depth Look
ITC 766-899
WEB APPLICATION SECURITY
Spring 2022
Dr. Ravi Thambusamy
Information Technology and Cybersecurity
College of Business
Missouri State University
1
Outline
Web Application Server
Client Machine
Browser
Internet
Website Address / Uniform Resource Locator (URL)
2
Outline (contd.)
Domain Name System (DNS) Servers
HyperText Transfer Protocol (HTTP)
HyperText Markup Language (HTML)
Cascading Style Sheets (CSS)
JavaScript
Java / .NET / C# / Python, etc.
3
Web Application Server
4
Serves as the host for web applications
Refers to the “server” portion of the client-server architecture
Receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser
Authenticates the client based on the user-supplied credentials
Examples: Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc.
Web Application Server
5
Authorizes the client’s access to the requested web application after authentication
Sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link)
Uses ports to make services available to clients
Common port numbers: 80 for HTTP traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.
Web Application Server (contd.)
6
Traditional three-tier web hosting architecture
Web Application Server (contd.)
Source: 2021 Amazon Web Services: Web Application Hosting in the AWS Cloud –
https://d1.awsstatic.com/whitepapers/aws-web-hosting-best-practices.pdf
7
Client Machine
8
Refers to the “client” portion of the client-server architecture
Is an Internet-connected device that allows a user to not only request services from a server, but also to view the results returned by the server
Is typically a workstation (at work) or a personal computer (at home)
Client Machine
9
Runs on a specific operating system (Microsoft Windows 10 Version 21H1, Apple macOS 12.0 Monterey, Google Android OS 12.0, Apple iOS 15.3, Linux Mint 20.3)
Has a browser (Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, etc.) installed on it
Client Machine (contd.)
10
Browser
11
Is installed on the client machine
Is used to request the web application from the web application server
Accepts website address in the form of a Uniform Resource Locator (URL)
Sends the URL to a Domain Name System (DNS) server to translate the URL into an Internet Protocol (IP) address
Browser
12
Uses the IP address received from the DNS server to send an HTTP request message to the web application server
Parses the information sent back from the web application server
Assembles and displays the web application to the end user on the client machine by converting HTML/CSS/JavaScript code into text, images, and videos
Browser (contd.)
13
Browser (contd.)
Source: OpenCanvas –
https://www.youtube.com/watch?v=z0HN-fG6oT4
How Web Browsers Function? – OpenCanvas
14
Internet
15
Is a network of networks (infrastructure)
Is needed to connect the client to the server in the client-server architecture
Allows access to the web using HTTP
Also allows other traffic (SMTP, FTP, SNMP, DHCP, etc.)
Is provided by an Internet Service Provider (ISP) for a fee
Internet
16
Website Address / Uniform Resource Locator
17
Is made up of protocols, host names, domain names, top level domain, port numbers, file paths, file names, parameter strings, and anchors
Is maintained by a registrar (example: GoDaddy.com, Wix.com, etc.)
Lets clients access a web application using the name of the organization (amazon.com) that owns it instead of having to remember an IP address (204.246.162.5)
Website Address / Uniform Resource Locator
18
Website Address / URL (contd.)
Source: GCFLearnFree.org –
https://www.youtube.com/watch?v=5Jr-_Za5yQM
Internet Tips: Understanding URLs – GCFLearnFree.org
19
Domain Name System (DNS) Servers
20
Is a protocol that operates on layer 7 (Application Layer) in the 7-layer Open Systems Interconnection (OSI) model
Resolves a given website address or URL (example: amazon.com) into its corresponding IP address (example: 204.246.162.5)
Is made up of resolvers, root servers, Top Level Domain (TLD) servers, and authoritative name servers
Domain Name System (DNS) Servers
21
DNS Servers (contd.)
Source: PowerCert Animated Videos – https://www.youtube.com/watch?v=mpQZVYPuDGU
How a DNS Server works? – PowerCert
22
HyperText Transfer Protocol (HTTP)
23
HyperText Transfer Protocol (HTTP)
Is another protocol that operates on layer 7 (Application Layer) in the 7-layer Open Systems Interconnection (OSI) model
Specifies the communication language for sending and receiving data between the client and the server in a client-server architecture
An overview of HTTP – MDN (source: Mozilla MDN web docs, 2021)
24
HyperText Transfer Protocol (HTTP) (contd.)
Source: Code.org – https://www.youtube.com/watch?v=kBXQZMmiA4s
The Internet: HTTP & HTML – Code.org
25
HyperText Markup Language (HTML)
26
Instructs the browser to assemble and display the web application to the end user
Is the code that describes the structure and content of a web application
Uses start tags (<>) and end tags (</>) to represent different components of a web application such as head, title, body, paragraph, table, form, etc.
HTML Tutorial (Source: w3schools.com)
HyperText Markup Language (HTML)
27
Cascading Style Sheets (CSS)
28
Cascading Style Sheets (CSS)
CSS is a language that specifies how HTML components such as head, title, body, paragraph, table, form, etc. are displayed on a browser
amazon.com with CSS and without CSS
HTML has basic formatting tags
CSS allows a lot more flexibility in terms of how web applications appear
CSS Tutorial (Source: w3schools.com)
29
Cascading Style Sheets (CSS) (contd.)
CSS Basics (Part 1) – What is CSS? – DevTips
Source: DevTips – https://www.youtube.com/watch?v=s7ONvIgOWdM
30
JavaScript
31
Allows web applications to be interactive
Is the code required to handle user-triggered events (behavior)
Is not the same as Java since it is a client-side scripting language (runs inside a browser)
Is placed inside of HTML code using the <script> & </script> tags
JavaScript Tutorial (Source: w3schools.com)
Utilizes other concepts such as JSON, DOM, AJAX, etc. (Source: w3schools.com)
JavaScript
32
Java / .NET / C# / Python, etc.
33
Used as a part of the application tier in the 3-tier web application architecture to code the business logic behind the web applications
Are all examples of Object-Oriented Programming (OOP) languages which emphasize encapsulation, inheritance, and polymorphism
Java / .NET / C# / Python, etc.
34
Web applications require several different technologies to come together in order to work
These include:
Web application servers, client machines, browsers, Internet, website address/URL, DNS servers, HTTP, HTML, CSS, JavaScript, Java/.NET/C#/Python, etc.
Before we can comprehend what vulnerabilities exist in web applications and how to fix those, we need to gain a better understanding of the technologies that enable a web application to work
Recap
35
Thank you!!!
36
