Web Security Threats

Protecting Web Applications and Users

Understanding Modern Web Attack Vectors

Web Security Landscape

Web Security Threats are malicious activities targeting web applications, websites, and web services to compromise data, disrupt operations, or gain unauthorized access.

Why Web Security Matters:

Ubiquitous Target: Web applications are everywhere
High Value Data: Contains sensitive personal and business information
Easy Access: Available 24/7 from anywhere in the world
Complex Attack Surface: Multiple layers and components to exploit
Business Impact: Direct effect on revenue and reputation

Web Security Statistics

Alarming Reality:

94% of security breaches target web applications
43% of cyber attacks target small businesses
75% of websites have security vulnerabilities
$4.45M average cost of a data breach (2023)
277 days average time to identify and contain breach
30,000 websites hacked daily

Web attacks increased 38% in 2023, making web security a critical priority

Impact on CIA Triad

Confidentiality Impact:

Data breaches and leaks
Unauthorized access to sensitive information
Session hijacking
Privacy violations
Intellectual property theft

Integrity Impact:

Data manipulation and corruption
Website defacement
Transaction fraud
Unauthorized modifications
Code injection attacks

Availability Impact:

Denial of service attacks
Server overload and crashes
Resource exhaustion
Service disruption
Business operations halt

OWASP Top 10 Web Security Risks

OWASP (Open Web Application Security Project) maintains a list of the most critical web application security risks.

OWASP Top 10 (2021):

Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)

SQL Injection Attacks

SQL Injection: Inserting malicious SQL code into application queries to manipulate database operations.

Vulnerable Code Example:

String query = "SELECT * FROM users WHERE username='"
+ username + "' AND password='" + password + "'";

Normal Input:
Username: john
Password: secret123
Query: SELECT * FROM users WHERE username='john' AND password='secret123'

SQL Injection Attack:
Username: admin'--
Password: anything
Query: SELECT * FROM users WHERE username='admin'--' AND password='anything'
Result: Logs in as admin (password check bypassed by comment --)

Cross-Site Scripting (XSS)

XSS Attack: Injecting malicious scripts into web pages viewed by other users.

Types of XSS:

Stored XSS: Malicious script stored on server (comments, profiles)
Reflected XSS: Script reflected from user input (search results)
DOM-based XSS: Client-side script manipulation

XSS Attack Example:

Comment field input:
<script>alert('XSS Attack!');</script>

When other users view the page:
• Popup appears with "XSS Attack!"
• Can steal cookies, session tokens
• Can redirect to malicious sites
• Can perform actions as the victim

Cross-Site Request Forgery (CSRF)

CSRF Attack: Tricking users into performing unintended actions on a website where they're authenticated.

CSRF Attack Scenario:

1. User logs into their bank account
2. User visits malicious website (still logged into bank)
3. Malicious site contains hidden form:

<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="to" value="attacker_account">
<input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>

4. Form automatically submits using user's session
5. Money transfers to attacker's account

Broken Access Control

Broken Access Control: Failure to properly restrict what authenticated users can access and do.

Common Examples:

Privilege Escalation: Regular user gaining admin access
Insecure Direct Object Reference: Accessing unauthorized data by changing URL parameters
Missing Function Level Access Control: Administrative functions accessible to regular users
CORS Misconfiguration: Allowing unauthorized cross-origin requests

Example Attack:
Normal URL: https://app.com/account?id=123
Attack URL: https://app.com/account?id=124
Result: Access to another user's account information

Security Misconfiguration

Security Misconfiguration: Insecure default configurations, incomplete setups, or improperly configured security settings.

Common Misconfigurations:

Default Passwords: Using admin/admin, root/root
Directory Listing: Exposing file system structure
Error Messages: Revealing sensitive system information
Unnecessary Services: Running unused applications
Missing Security Headers: No HTTPS, CSP, or security headers
Outdated Software: Unpatched systems and components

Cryptographic Failures

Cryptographic Failures: Improper protection of sensitive data through weak or missing encryption.

Common Issues:

Storing passwords in plain text
Using weak hashing algorithms (MD5, SHA-1)
Missing encryption for sensitive data
Weak encryption keys or poor key management
Transmitting sensitive data over HTTP
Using deprecated SSL/TLS versions

Best Practices:

Use strong encryption algorithms (AES-256)
Implement proper key management
Use bcrypt or Argon2 for password hashing
Enforce HTTPS for all sensitive communications

XML External Entity (XXE)

XXE Attack: Exploiting XML processors to access local files, internal systems, or cause denial of service.

XXE Attack Example:

Malicious XML payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Result: Contents of /etc/passwd file revealed

Impact:
• Local file disclosure
• Internal network scanning
• Denial of service
• Server-side request forgery

Insecure Deserialization

Insecure Deserialization: Untrusted data being deserialized leading to remote code execution or privilege escalation.

Attack Scenarios:

Object Injection: Malicious objects executed during deserialization
Data Tampering: Modifying serialized objects to bypass access controls
Remote Code Execution: Executing arbitrary code on the server
Privilege Escalation: Gaining higher-level access rights

Prevention:

Avoid deserializing untrusted data
Implement integrity checks and encryption
Use safe serialization libraries
Monitor and log deserialization activities

Session Management Vulnerabilities

Session Management Flaws: Improper handling of user sessions leading to session hijacking or fixation attacks.

Common Vulnerabilities:

Session Hijacking: Stealing session cookies or tokens
Session Fixation: Forcing users to use attacker-controlled session
Weak Session IDs: Predictable or easy-to-guess session identifiers
Session Timeout Issues: Sessions that don't expire properly
Insecure Cookie Settings: Missing HttpOnly, Secure flags

Best Practices:

Generate strong, random session IDs
Set appropriate session timeouts
Use secure cookie attributes
Regenerate session IDs after authentication

Distributed Denial of Service (DDoS)

DDoS Attack: Overwhelming web servers with traffic from multiple sources to make services unavailable.

Types of DDoS Attacks:

Volume-based: UDP floods, ICMP floods
Protocol attacks: SYN floods, fragmented packet attacks
Application layer: HTTP floods, Slowloris attacks
Amplification: DNS, NTP, SSDP amplification

DDoS Impact:
• Website becomes inaccessible
• Server resources exhausted
• Business operations disrupted
• Revenue loss and reputation damage
• Potential for extortion demands

Web Application Firewall (WAF)

WAF: Security solution that monitors, filters, and blocks HTTP traffic between web applications and the internet.

WAF Protection:

SQL Injection filtering
XSS attack prevention
DDoS mitigation
Bot protection
Rate limiting
Geo-blocking
Content filtering

Types: Network-based, Host-based, Cloud-based WAF solutions

Web Security Testing

Testing Approaches:

Static Analysis (SAST): Analyzing source code for vulnerabilities
Dynamic Analysis (DAST): Testing running applications
Interactive Analysis (IAST): Combination of SAST and DAST
Penetration Testing: Simulated cyber attacks
Bug Bounty Programs: Crowdsourced security testing

Popular Security Testing Tools:

OWASP ZAP, Burp Suite (DAST)
SonarQube, Checkmarx (SAST)
Nessus, OpenVAS (Vulnerability scanners)
Metasploit (Penetration testing)

Secure Development Practices

Secure by Design: Build security from the ground up
Input Validation: Validate and sanitize all user inputs
Output Encoding: Encode outputs to prevent XSS
Parameterized Queries: Prevent SQL injection
Authentication & Authorization: Proper access controls
Secure Communication: Use HTTPS everywhere
Error Handling: Don't expose sensitive information
Security Headers: Implement CSP, HSTS, X-Frame-Options
Regular Updates: Keep dependencies current
Security Testing: Continuous security assessment

Web Security Standards

Key Standards and Guidelines:

OWASP: Open Web Application Security Project guidelines
PCI DSS: Payment Card Industry Data Security Standard
ISO 27001: Information security management
NIST Cybersecurity Framework: Risk management approach
GDPR: General Data Protection Regulation
HIPAA: Health Insurance Portability and Accountability Act

Compliance Benefits: Legal protection, customer trust, reduced liability, structured security approach

Key Takeaways

Web applications are primary targets for cyber attacks
OWASP Top 10 provides guidance on critical vulnerabilities
Multiple attack vectors threaten confidentiality, integrity, and availability
Prevention requires secure development practices and ongoing testing
Web Application Firewalls provide additional protection layer
Regular security assessments and updates are essential
Compliance standards provide structured security frameworks

Remember: Web security is an ongoing process requiring vigilance, education, and continuous improvement

Thank You

Questions & Discussion

Next: Network Ports Deep Dive