Web security

WHAT IS WEB/INTERNET APPLICATION SECURITY?

Application security refers to the process of identifying, mitigating, and protecting applications from vulnerabilities, threats, and attacks throughout their development and lifecycle. It involves designing, implementing, and maintaining security measures to prevent unauthorized access, data breaches, or exploitation of applications.

What Types of Application Security is Needed?

1. API Security

2. Web Application Security

3. Cloud Native Application Security

4. OS Security

API Security

APIs are important for modern apps because they let systems share data and services. Since weak APIs can cause data breaches, businesses must protect them from issues like poor authentication, data exposure, and no rate limiting. Security tools are used to find and fix these API vulnerabilities.

Web Application Security

Web applications run on web servers and are accessed through browsers over the Internet. Because they accept connections on insecure networks and often store sensitive data, they are common targets for attacks. OWASP Top 10 lists the most common and serious web application vulnerabilities.

Cloud-Native App Security

Cloud-native apps use microservices, containers, VMs, and serverless systems. They are harder to secure because parts change often and are usually built automatically with IaC. Security should start early in development, and special tools are needed to scan and monitor containers, serverless functions, and other cloud resources.

Operating System Security

OS security protects the systems that run applications, like servers, computers, and phones. Important practices include access control, patching, system hardening, anti-malware, and logging/monitoring. Keeping the OS updated and well configured helps protect apps and data.

OWASP TOP 10

1. Broken Access Control

2. Cryptographic Failures

3. Injections

4. Insecure Design

5. Misconfiguration

6. Vulnerable & Outdated Components

7. Identification & Auth Failures

8. Software and Data Integrity Failure

9. Security Logging and Monitoring Failures

10. Server-side Request Forgery

Broken Access Control

Broken access control allows threats and users to gain unauthorized access and privileges.

Cryptographic Failures

Think “sensitive data exposure”. Data not protected at rest & in transit.

Injections

Cross Site Scripting, Local file injection, SQL injection, Cross Site Request Forgery

Insecure Design

Designs without security in mind. Focuses on functionality rather than proper configuration and controls.

Misconfiguration

Improperly configured systems such as infrastructure, leaving unnecessary services installed and on, default accts.

Vulnerable & Outdated Components

Versions out of date or no longer in service channels.

Identification & Auth Failures

Security failures related to user identities. Establish secure session management to remedy.

Software and Data Integrity Failure

Software updates, sensitive data modification, unvalidated CI/CD pipeline changes

Security Logging and Monitoring Failures

Insufficient logging & monitoring

Server-side Request Forgery

When a web app does not validate a URL inputted before pulling the information.

Black Box

Testing without knowing the inside of the system, like an outside attacker. It helps find real-world weaknesses but may miss internal code or logic flaws.

White Box

Testing with full access to the system’s code, design, and settings. It helps find deeper security problems, but not every issue found can be exploited in real use.

General Data Protection Regulation (GDPR)

• Requires websites based in the EU or providing content or transactions to EU citizens to guarantee that any personal data collected and stored must be done so legally and in conformance with strict regulations.

• Any data collected and stored must be protected from unauthorized access and misuse.

• If personal data are subject to a breach, the owner must be notified, among several other data protection requirements.

A website that falls under the GDPR must provide the following requirements to comply and avoid heavy financial penalties:

• Users must have a way to give or retract their consent for the collection, use, and storage of their personal data.

• Users must have access to any personal data collected, used, or stored.

• The data collected, used, or stored are restricted to only the data required for the completion of a user-initiated action.

• Access to a user’s personal data must be limited to only those website employees who specifically require the data to complete a user approved action.

• A user must be notified within 72 hours of the discovery of a data breach involving the user’s data.

• The owner/operator of a website must name a Data Protection Office (DPO) to monitor GDPR compliance. Applies to website owners with 250 employees or more or with website traffic of 5,000 hits a year.

California Privacy Rights Act (CPRA)

• An enhanced combination of two previous data protection and privacy laws: the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA)

• Specifically defines and protects the privacy rights and personally identifiable information (PII) of California residents, regardless of the location of an online entity

• Defines PII as a person’s first and last names, physical address, email address, telephone number(s), Social Security identification number, date of birth, physical characteristics or descriptive data, and any contact (physical or virtual) or other information that could possibly be used to identify a user

• Under this law, website owner/operator must ensure that PII is secured and guarded

California Privacy Rights Act (CPRA) requires that a website must provide users with a privacy policy that must provide the following information:

• The specific data that are collected and stored

• The identity of anyone or any third party with access to the information

• How a user may access and modify their PII stored on the site

• How a user may make a Do Not Track (DNT) request to the site (although the CPRA does not require the site to honor the user’s DNT request)

• How modifications or updates to the site’s privacy policy are made available to users

• The revision history of the site’s privacy policy

Website Legal Requirements

• An e-commerce website must be accessible by users at all times, meaning 24/7/365

• All terms and conditions and a privacy policy must be clearly disclosed and readily available to users.

• The privacy policy should include a statement to the effect that PII is not sold or shared with third parties without the express consent of the user.

• The website must adhere to all state, local, and foreign data privacy and protection laws applicable to the locations of its users.

• The contact information for the owner/operator of the website must be accessible at all times and must include an email address and a telephone number.

Legal Requirements Compliance

• Privacy policy

• Cookie management policy

• Terms and conditions

• Records of user consent

Privacy policy (Legal Requirements Compliance)

All data protection and privacy laws require e-commerce websites to provide an accessible privacy policy.

Cookie management policy (Legal Requirements Compliance)

If a website creates, maintains, or distributes website cookies, a cookie management policy must be available and the opportunity for users to opt out of the use of cookies for their visit must be presented at or before the first user interaction with the site. Require the user be informed as to why and how the site uses any cookies it creates or maintains.

Terms and conditions (Legal Requirements Compliance)

• E-commerce websites must provide statement of terms and conditions that formalize the interaction of the user and the site owner or operator

• Must define the rights of both the visitor and the provider

• Site’s terms and conditions become legally binding after notifying user

Records of user consent (Legal Requirements Compliance)

• Consents given by a user must be formally recorded and secured\

• Records of consent were stored in cookies but many data privacy and protection laws, including the GDPR, do not cover cookies and do not recognize them as a secured storage

Other Laws Affecting Websites and Data Privacy

• Americans with Disabilities Act Standards for Accessible Design

• Children’s Online Privacy Protection Act (COPPA)

• Communications Act

• Computer Fraud and Abuse Act (CFAA)

• Electronic Communications Privacy Act (ECPA)

• Federal Trade Commission (FTC) Act

• Gramm-Leach-Bliley Act (GLBA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Video Privacy Protection Act

Lawful Basis

• Consent

• Contract

• Legal obligation

• Legitimate interest

• Public task

• Vital interests

Payment Processing Compliance

• Payment Card Industry Data Security Standard (PCI DSS)

• Revised Payment Services Directive (PSD2)

• Three Domain Secure 2.0 (3DS2)

• Know Your Business (KYB) and Know Your Customer (KYC) verification

Other Compliance Elements

• Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF)

• Turing tests

• Sanctions screening

California Consumer Privacy Act (CCPA)

• Coverage: Privacy rights and consumer protection

• Applies to: Any business operating in California that collects personally identifiable information (PII)

Center for Internet Security (CIS) Controls

• Coverage: Guideline for protecting assets from cyberattacks

• Applies to: Security for the Internet of Things (IoT)

Children’s Online Privacy Protection Act (COPPA)

• Coverage: Regulates online collection of a child under 13 years of age’s PII

• Applies to: Any person or entity under U.S. authority

Gramm-Leach-Bliley Act (GLBA)

• Coverage: Companies must secure the private information of clients and customers

• Applies to: Companies offering financial products or services to individuals

Health Insurance Portability and Accountability Act (HIPAA)

• Coverage: Governs electronic data and protects the privacy of patients

• Applies to: Any organization handling healthcare data

National Institute of Standards and Technology (NIST)

• Coverage: Managing risk by combining standards, guidelines, and best practices

• Applies to: Voluntary framework for any organization to reduce risk

Types of Information Security

• Application security

• Infrastructure security

• Cloud security

Functional Websites Technologies and systems

• Hypertext Markup Language (HTML)

• Common Gateway Interface script

• JavaScript

• SQL database back-end

Common Gateway Interface (CGI)

• A standard that defines a method by which a web server can obtain data from or send data to databases, documents, and other programs, and present that data to viewers via the Web

• Programs are commonly written in Perl, C++, or ASP

• Accessed by the web server in response to some action by a web visitor

• Programs often accept user input from the browser to the web server

To help secure CGI:

• Create and program CGI with security in mind.

• Research known vulnerabilities with CGI programming.

• Incorporate security best practices in all programming efforts.

• Review the program periodically to verify and incorporate updated vulnerability information.

• Apply security patches when necessary.

• Use user validation and sanitization.

Attack Description: Data-in-transit is captured and used

Best Practices: HTTPS encrypts data-in-transit.

Attack Description: Sensitive data in log and audit files may be vulnerable to an attacker.

Best Practices: Use principle of least privilege policy and access controls to limit access.

Attack Description: Malicious code is embedded in query strings, fields, cookies, and headers.

Best Practices: Assume all input is harmful. Constrain, reject, and sanitize all input.

Attack Description: Malicious use of password cracking, privilege elevation, and social engineering to authenticate.

Best Practices: Educate users on password security, encrypt passwords, and enforce robust password policies.

Attack Description: Malicious users gain access to restricted and sensitive data or resources.

Best Practices: Encrypt data files and directories. Validate and audit object authorization.

Attack Description: Malicious users able to hijack a session and use valid credentials.

Best Practices: Manual log out of sessions. Automatically log users out of sessions after a period of inactivity.

Attack Description: Hiding or ignoring file, folder, or resource locations.

Best Practices: Security by obscurity is not usually enough. Use access control mechanisms and security privileges to protect all resources.

Web Application Vulnerabilities, Three areas are mainly targeted:

• Authentication

• Input validation

• Session management

Top concerns regarding authentication:

• Elevation of privilege

• Disclosure of confidential data

• Data tampering

• Luring attacks

Input Validation:

Nonvalidated or poorly validated user input is a major threat to websites, databases, and web applications.

Top security threats to session management:

• Session hijacking

• Session replay

• Man-in-the-middle

Session hijacking

The exploitation of a valid computer session to gain unauthorized access to information and services within a targeted computer system

Session replay

• Happens when an attacker intercepts a user’s authentication token and bypasses authentication controls.

• If the token is visible in a cookie or URL, a hacker can steal information and send requests through the hijacked session.

Man-in-the-middle

Refers to intercepting a message, altering its content, and then sending it to its original recipient

A well-written security policy addresses:

• Data security in storage and in transit

• Asset inventory and management

• End-user security

• Physical security

• Access control mechanisms

• Incident management and reporting

• Fault-tolerant measures

• Noncompliance consequences

Community Emergency Response Team (CERT) top 10 tips for secure coding:

• Validate input.

• Heed compiler warnings.

• Plan and design for security policies.

• Keep the coding simple.

• Deny access by default.

• Use the principle of least privilege.

• Sanitize data sent to other systems.

• Use layered security.

• Use effective quality assurance techniques.

• Adopt a secure coding standard.

General guidelines help ensure HTML is coded and deployed correctly:

• Encrypt HTML code.

• Keep the code clean.

• Monitor HTML code.

• Use input validation with HTML forms.

• Validate URLs.

Fundamental aspects of the JavaScript secure coding standards:

• Prefer to have obviously no flaws than no obvious flaws.

• Avoid duplication.

• Restrict privileges.

• Establish trust boundaries.

• Contain sensitive data.

• Avoid dynamic SQL

• Extensible Markup Language (XML) and HTML generation require care.

• Take care of interpreting untrusted code.

Common Gateway Interface (CGI)

It is not a programming language, it is a standard that enables communication between web forms and a program.

CGI Strategies and techniques used to protect servers and back-end databases are:

• Limit user access to the database.

• Validate input.

• Limit error message.

• Log and audit access.

• Use encryption protocols.

• Restrict physical access to database servers.

Best Practices for Mitigating Web Application Vulnerabilities

• Incorporate security in development.

• Train developers.

• Incorporate testing standards.

• Continually monitor threats.

• Restrict access to web applications in whole or in part to prevent uncontrolled access

• Ensure error messages do not reveal too much information.

• Harden systems and applications.

• Verify application configuration.

• Validate input data.

• Secure communication to and from the web server and applications.

Scenarios: Broken Access Control

Example: A normal user changes the URL from /account/user123 to /account/admin1 and can view another person’s data.

Scenarios: Cryptographic Failures

Example: A website stores passwords in plain text or sends credit card data without proper encryption.

Scenarios: Injection

Example: A login form accepts malicious SQL input like ' OR '1'='1 and lets the attacker log in without a real password.

Scenarios: Insecure Design

Example: A banking app is built without transfer limits or fraud checks, so attackers can abuse the system design.

Scenarios: Security Misconfiguration

Example: The server still uses default admin username/password, or debug mode is left on in production.

Scenarios: Vulnerable and Outdated Components

Example: A website uses an old library with a known security flaw, and attackers exploit it to gain access.

Scenarios: Identification and Authentication Failures

Example: The site allows weak passwords, no account lockout, or predictable session IDs, making account takeover easier.

Scenarios: Software and Data Integrity Failures

Example: An app automatically installs software updates without checking if the update is trusted, so malicious code gets installed.

Scenarios: Security Logging and Monitoring Failures

Example: An attacker keeps trying passwords many times, but the system does not log it or alert admins.

Scenarios: Server-Side Request Forgery (SSRF)

Example: A website lets users submit a URL to fetch an image, and the attacker uses it to make the server access internal-only resources.

Likely a brute-force login attack through XML-RPC.

What does many POST /xmlrpc.php requests usually mean?

Likely exploitation of a vulnerable plugin file.

What does successful access to timthumb.php suggest?

Likely use of a hidden backdoor or webshell.

What does successful POST to bbb.php suggest?

They suggest the attacker is actively using the backdoor.

Why are repeated successful requests to bbb.php suspicious?

Successful WordPress login

What does wp-login.php with 302 followed by /wp-admin/ suggest?

Persistence. The attacker wants malware to run again automatically.

What does a malicious file creating a scheduled task mean?

Likely cryptomining activity.

What does trying to run cnrig suggest?

• Backdoor = hidden way in

• Persistence = method to stay in

What is the difference between a backdoor and persistence?

Mitigation

means reducing risk by addressing vulnerabilities in web security.

Security

Security protects valuable assets from being damaged, stolen, destroyed, or made unusable. In computers, security is often measured by how much money could be lost, and its purpose is to protect important personal or business assets.

SOHO

small office and home office (SOHO).

Vulnerabilities

weaknesses in a website’s code or configuration that attackers can exploit. They can lead to stolen data, malware, or malicious content. Mitigation means fixing or removing these weaknesses.

Threat

anything that could exploit a vulnerability and cause harm. Examples include malware, ransomware, theft, natural disasters, or actions by threat actors.

Risk

The possible loss that may happen when a threat exploits a vulnerability. It can mean either the chance that an attack will happen or the expected financial loss if it happens. Risk exists when an asset, threat, and vulnerability come together.

SOHO Physical Security Plan

To protects small office/home office assets using three parts: access control, asset protection, and surveillance. Access control limits who can enter, asset protection secures important items, and surveillance monitors activity.

A zero-day attack

Made on an application or system vulnerability that a vendor is either unaware of or has not yet corrected.

Threat actors

Characterized by their motivations, objectives, and methods.
Types of threat actors:

Cyberterrorist: Focused on disruption and destruction

State-sponsored: Accesses data to steal or capture intellectual property, classified information, and money as directed by sponsoring government or agency

Cybercriminal: Steals valuable data, money, and PII for financial gain

Hacktivist: Exposes confidential or secret information to create awareness

Insider: Current or former employee, contractor, supplier, with access to the system, network, or data

Script kiddie: A beginning hacker for whom the fun is in the attempt

Social engineering

Aims to trick people into revealing PII or sensitive data

Forms of social engineering:

Baiting

Dumpster diving

Honey trap

Phishing

Pretexting

Scareware

Should surfing

Watering hole

A virus

is malware that has a specific function or objective.
is able to spread by making a copy of itself and inserting the copy into otherwise legitimate nonvirus software or files.

File corruptor

Penetrates executable files to infect a standalone computer or spread across a network

Macro virus

Attaches itself to a macro-enabled document and runs whenever the document is opened

Polymorphic virus

Has the capability to modify its own coding while retaining its original algorithm.

Malware types

Blended threat: Different types of malware are packaged as a group to discover and exploit different types of vulnerabilities.

Evasion: A survival tactic used by some malware to avoid detection and removal by anti-malware systems.

Escalated privilege: Allows an attacker to raise the permissions and rights of the account being used for the attack.

Exploit: A vulnerability is discovered and attacked by one or more forms of malware.

Zero-day: An undisclosed vulnerability or flaw in an operating system or application program that an attacker has discovered and exploited prior to it being made public.

Risk Assessment

Identification

Definition

Analysis

Prioritization