A web application is also need tobe a hack-resilient application. A hack-resilient application reduces thelikelihood of successful attack. In that case, a resilient web applicationusually resides on a secure host server in a secure network and developed usingwell accepted secure design and development guidelines.
Not like general standaloneapplications, web programs are running using multiple tires and security mustbe addressed across the all tires.
For example, let’s have a look atfollowing multilayer web application. Most of these days web applications usemultithreading also and the figure also shows that. On the other handmultithreading in web applications mostly used for structure and rationale forthe security process and allows you to evaluate security threats and identifyappropriate countermeasures.
The figure shows followinglayers.
1. WebServer
2. RemoteApplication Server
3. DatabaseServer
For each layer we can see howsecurity has implemented.
For Network:
1. Router
2. Firewall
3. Switch
For Security of Host:
1. Protocols
2. Registry
3. Auditingand Logging
4. Patchesand Services
5. Portsetc…
For the secure of webapplication:
1. InputValidation
2. Authentication
3. Authorization
4. ConfigurationManagement
5. SessionManagement
6. Cryptography
7. Auditingand Logging etc…
Therefore we can see that webapplication security is a much deeper subject than standalone applicationsecurity.
But, following a good practicemight reduce the risk of your web application being a diet for attackers.
We have already listed themethods to follow when building secured web applications. Let’s see each ofthose in more detail.
It is important to note that inaddition to applying sound architectural and design practices, incorporatedeployment considerations and corporate security policies during early designphases and; my friends it is also should remind that HTTP is a statelessprotocol where but our applications into a greater complexity: we have toimplement authentication systems at our own.
InputValidation
This avoids or reduces attacks performed byembedding malicious strings in query strings, form fields, cookies, and HTTPheaders. These include command execution, cross-site scripting (XSS), SQLinjection, and buffer overflow attacks.
The following practices improve your Web application's inputvalidation:
Assume all input is malicious .
Centralize your approach .
Do not rely on client-side validation .
Be careful with canonicalization issues .
Constrain, reject, and sanitize your input .
Authentication
Authentication identity spoofing, passwordcracking, elevation of privileges, and unauthorized access
Authorization
Access to confidential or restricted data,tampering, and execution of unauthorized operations can be avoided.
ConfigurationManagement
Avoiding unauthorized access to administrationinterfaces, ability to update configuration data, and unauthorized access touser accounts and account profiles.
SensitiveData
Confidential information disclosure and datatampering
SessionManagement
Avoiding capture of session identifiers resultingin session hijacking and identity spoofing
Cryptography
Avoiding access to confidential data or accountcredentials, or both
ParameterManipulation
Path traversal attacks, command execution, andbypass of access control mechanisms among others, leading to informationdisclosure, elevation of privileges, and denial of service can be avoided
ExceptionManagement
Denial of service and disclosure of sensitivesystem level details can be avoided
Auditingand Logging
Failure to spot the signs of intrusion, inabilityto prove a user's actions, and difficulties in problem diagnosis can be avoided
SecurityPolicies and Procedures
Security policy determines what your applications are allowed todo and what the users of the application are permitted to do. More importantly,they define restrictions to determine what applications and users are notallowed to do.
NetworkInfrastructure Components
Make sure you understand the network structure provided by yourtarget environment and understand the baseline security requirements of thenetwork in terms of filtering rules, port restrictions, supported protocols,and so on.
Following is a list of attacks on Web Applications:
1. Abuse ofFunctionality
2. Brute Force
3. BufferOverflow
4. ContentSpoofing
5. Credential/SessionPrediction
6. ImproperOutput Handling
7. Cross-SiteScripting
8. Cross-SiteRequest Forgery
9. InsecureIndexing
10. Denial of Service
11. Fingerprinting
12. Format String
13. HTTP Response Smuggling
14. HTTP Response Splitting
15. HTTP Request Smuggling
16. HTTP Request Splitting
17. Integer Overflows
18. LDAP Injection
19. Mail Command Injection
20. Null Byte Injection
21. OS Commanding
22. Path Traversal
23. Predictable Resource Location
24. Remote File Inclusion (RFI)
25. Routing Detour
26. Session Fixation
27. SOAP Array Abuse
28. SSI Injection
29. SQL Injection
30. URL Redirector Abuse
31. XPath Injection
32. XML Attribute Blowup
33. XML External Entities
34. XML Entity Expansion
35. XML Injection
36. XQuery Injection
The latest development in attacking is hacking and other kinds ofattacks on social networks such as Facebook and Twitter. For example see thefollowing hacking incident report from WASC. (Clickhere for their web site)