WEB APPLICATION DEVELOPMENT LO :1 Prepared By: Md. Muminur Rahman 1
1
WEB APPLICATION DEVELOPMENT LO :1
Prepared By: Md. Muminur Rahman
2
Contents of The Presentation
Definition of Web Application How Web Applications Functions of Web Application Advantages of Web Applications Comparison Between Server-side Scripting
Languages & Client-side Scripting Languages
Web Security Concerns Recommendations for Security References
3
Definition of Web ApplicationWeb applications are computer programs, which allows website visitors to submit data to a database or retrieve data from a database over the Internet using web browser. The data is then presented on browser as information is generated dynamically. (Acunetix, 2015)
4
How Web Applications Work?
Web applications have several functions. The upcoming slides show some major functions of web applications.
Functions of Web Application5
6
Functions of Web Application Display records stored in database. Shopping cart for saving products. Creating and managing
profiles/accounts. Uploading images or files to the
database and retrieving them from database.
Web content management systems.
Advantages of Web ApplicationsThere are many advantages of using
web-based applications. Following slides show some of them.
7
8
Advantages of Web Applications The development of web applications is cost-
effective. Web systems are accessible anytime,
anywhere, via a PC/mobile phone with an active Internet connection.
The user interface (UI) of web-based applications is easier to customize.
Contents of web applications can be customized for presentation on any device connected to the internet, including PDAs, tabs, mobile phones, etc.
9
Advantages of Web Applications (Cont.)
Installation and maintenance of web applications are less complicated.
The application will run on the browser regardless the platform.
No installation of software required. Many Web Apps are providing chat room
facilities and the ability to share work in real time.
The support and maintenance of web applications require low cost.
Server-side Scripting Languages &Client-side Scripting Languages
Comparison Between10
Comparison (1)
Server-side scripting languages run on the server.
Examples: PHP, Ruby, ASP.NET, Perl.
Server-side scripting is used for building dynamic pages based on some conditions when the browser makes a request to the server.
Client-side languages run on the user’s machine.
Examples: JavaScript, Dart, Python
Client-side scripting is used when the browser already has all the code and the page is altered on the basis of the users input.
Server-side Scripting Languages
Client-side Scripting Languages
11
Comparison (2)
Server-side scripts are affected by the processing speed of the host server.
The web server executes the server-side scripting that sends the page to the browser.
Client-side scripts are affected by the processing speed of the client or user’s computer.
The Web Browser executes the client-side scripting that resides at the user’s computer.
Server-side Scripting Languages
Client-side Scripting Languages
12
Comparison (3)
Response time of a server-side script is slower than a client-side script as the server-side scripts are processed on the remote computer.
Server-side scripting could not be blocked by the user.
Response time of a client-side script is faster than a server-side script as the client-side scripts are processed on the local computer.
Client-side scripting could be blocked by the user.
Server-side Scripting Languages
Client-side Scripting Languages
13
Comparison (4)
Server side scripting can access the file system residing at the web server.
Client side scripting can’t access the file system that resides at the web server.
Server-side Scripting Languages
Client-side Scripting Languages
14
There are some security concerns of application that should be kept in mind before going on to make a web-based system.
Web Security Concerns15
16
1. Cross Site Scripting (XSS)
Cross Site Scripting (XSS) is execution of scripts in the victim's browser for hijacking information. XSS allows hijacking user sessions, defacing websites etc. The reason behind this flaw is inappropriate validation of user-supplied data that an application takes and sends to a web browser without encrypting or validating the content.
17
2. Injection Flaws
Injection flaw is a common threat of web application, Especially SQL injection. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers can trick the application into changing system data or executing unintended commands.
18
3. Malicious File Execution
Remote File Inclusion (RFI) gives hackers the chance to inject hostile data, resulting in an incisive attack, such as a compromise of the server. Malicious file execution attacks can be on XML, PHP or any framework that receives files from users.
19
4. Insecure Direct Object Reference
A direct object reference occurs when web application developers expose any reference to a private implementation object (e.g. a file, database record) as a URL or form parameter. In this case, attackers could change the unsecured references to enter another object without authorization.
20
5. Cross Site Request Forgery (CSRF)
CSRF is a big problem as it can be as strong as the web application that it attacks. It might force the browser, when a user is logged-in, to transfer a pre-authenticated request to a specific vulnerable web application. The application then pushes the victim's browser to execute a hostile action that benefits the hacker.
21
6. Information Leakage
An application can unintentionally leak information about its internal workings and configuration, or violate privacy because of a variety of problems. The attackers can take the advantage of this weakness to conduct more serious attacks or to steal sensitive data.
22
7. Broken Authentication
This problem is caused by improper protection of session tokens and account credentials. In this case, the attackers could compromise keys, passwords or authentication tokens.
23
8. Insecure Cryptographic Storage
This type of flaws become threat for application when hackers use inappropriately protected data to perform identity theft and other crimes (e.g. credit card fraud). Using poor cryptographic protection in web applications causes this type of flaws.
24
9. Insecure Communications
This type of flaw appears from the potential leakage of sensitive data across the network communication infrastructure. The cause behind this flaw is failing to encrypt network traffic while protecting sensitive communications.
25
10. Failure to Restrict URL Access
This type of flaw is caused by web applications that just protect important and sensitive functionality while restricting the display of URLs to unauthorized illegal users. It allows hackers to perform unauthorized actions by accessing those URLs directly.
Some recommendations for making strong and secured web applications.
Recommendations for Security26
27
1. Validate All Input Parameters
A central module should be developed to validate input parameters and check every input parameter against a distinct format that specifies which types of input exactly will be allowed. Special characters coming from the input form also should be filtered.
28
2. Sanitized Application Response
A central module should be developed to execute any sanitization. All outputs and error codes should be tested to ensure that the processing actually occurred as expected. For instance, unnecessary core system information, such as error messages generated by internal server errors during a response, must not be visible on the client side. Most web servers allow to generate custom error page when any internal server error occurs.
29
3. HTTP Trust Issues
Web application programmers should not trust form fields, HTTP REFERER headers or cookies for security decisions since this type of data can be compromised. these parameters coming in from a client browser is not reliable without using robust cryptographic techniques to verify the integrity of HTTP headers.
30
4. Keep Sensitive Session Values on the Server
Storing sensitive information is a client browser’s cookies is not a good practice. The sensitive information should be kept on the server. If there is a need to store sensitive values in a client browser, powerful cryptographic techniques should be used to protect the privacy of the data.
31
5. Encrypte Sensitive Pages
The pages having sensitive information must be encrypted during transmission with proper algorithms and keys, such as SSL and TLS. To attain and show sensitive information, Signed Java applets or ActiveX can be used
32
6. Session Management
Session management plays an important role on securing website. The session ID must be complicated, long and contain random unpredictable numbers. The session ID also should be changed repeatedly during a session. It makes the session ID complicated to find by reducing the duration that a session ID remains valid. Furthermore, a session ID must not be stored in persistent cookies, URLs, HTTP headers or hidden HTML fields.
33
7. Access Restriction
Access restriction is one of the common way to hide sensitive information of web application. There should be specific privileges for different types of user, including end-user, admin etc. When an application makes system calls to access certain programs, the calls should not be to actual directory paths or file names. Because it may allow hackers to expose system-level information when they get access to the source code.
34
8. Perform Threat Modelling
A threat modelling process allows to identify threats, vulnerabilities, potential attacks of the web application. For building a secure application, It is essential to have the understanding of threats against the application.
35
9. Web Application Unit Testing
Mica Molainan (2015) defines unit testing as: “testing of individual hardware or software units or groups of related units.” Unit testing is very important for web-based applications. This testing is also a significant part of the development stage. Unit testing should include tests for common security issues. .
36
10. Web Application Firewalls
The Web Application Security Consortium defines a web application firewall (WAF) as “an intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy”. Firewalls help manage network access to network ports authorized by the organization.
References37
38
References Acunetix, (2015). What Are Web Applications?. [online] Available at:
http://www.acunetix.com/websitesecurity/web-applications/ [Accessed 10 Nov. 2015].
Magic Web Solutions UK, (2015). The benefits of web-based applications. [online] Available at: http://www.magicwebsolutions.co.uk/blog/the-benefits-of-web-based-applications.htm [Accessed 10 Nov. 2015].
Motive.co.nz, (2015). definition: client-side, server-side | Motive Web Design Glossary. [online] Available at: http://www.motive.co.nz/glossary/client-server.php?ref [Accessed 10 Nov. 2015].
sephone blog, (2015). A Few Advantages of Web Applications. [online] Available at: http://blog.sephone.com/2014/03/26/a-few-advantages-of-web-applications/ [Accessed 10 Nov. 2015].
Web Application Security. (2015). 1st ed. Hong Kong: The Government of the Hong Kong Special Administrative Region.
The Web Application Security Consortium / The Web Security Glossary. 2015. The Web Application Security Consortium / The Web Security Glossary. [ONLINE] Available at:http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20Glossary#WebApplication. [Accessed 13 November 2015].
39
End of The Presentation
Thank YouThank You