Department of Computer Science and Engineering

TECHNICAL SEMINAR

(Web Application Security)

Under the guidance of: Presented by:
Prof. Krishna Gudi Shri Harsha Kulkarni
Assistant Professor 1KS17CS077
Dept. of CSE Batch no: 2020_CSE_02
CONTENTS

1. Introduction
2. Literature survey
3. Top Ten Vulnerability types
4. Web Application attack vectors
5. SQL injection
6. Broken Authentication
7. Cross-site Scripting
8. Conclusion
9. References

2
INTRODUCTION

Web applications and technologies have become a core part of the

internet by adopting different uses and functionalities.

The increase in the complexity of web application and their

widespread services creates challenges in securing them against
threats.

Various incentives exist, ranging from financial or reputational harm

to the theft of sensitive or personal information.
Literature survey
A Study on Web Application Security
Web application vulnerabilities
OWASPTop
OWASP Top Ten-2017
Ten -2017
and Detecting Security and threats
Vulnerabilities
> OWASP (Open source > Sandeep Kumar , Renuka > PT Security [2020].
web application security Mahajan , Naresh Kumar,
project). Sunil Kumar Khatri.[2017] > Web application
vulnerabilities and
>Is a nonprofit foundation > Research on attack threats: statistics for 2019.
that works to improve the vectors and how to
security of software. prevent from such
attacks.
>Top 10 vulnerabilities.

4
Literature survey
ENISA - 2020

> The European Union

Agency for Cybersecurity
(ENISA).

> Web application attacks

from January 2019 to April
2020.

5
Top Ten Vulnerabilities [2017]

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

6
Web application attack vectors
● There is general perception that web application attacks are quite
diverse. However, data from security research suggests that the
majority of web application attacks are limited to SQLi or LFi.

Fig 1. Attack vectors (2019)

7
WEB APPLICATION ATTACKS 2018 - 2019

Fig 2. Daily Web App attacks between 2018-2019

8
 ● SQL injection is a web security vulnerability
that allows an attacker to interfere with the
queries that an application makes to its

Sql injection
database.
● It generally allows the attacker to retrieve
the data which they are not normally able
to retrieve.
● This might include data belonging to other
users, or any other data that the
application itself is able to access.
● In some situations attacker can escalate an
SQl injection to compromise the underlying
server or other backend infrastructure.

9
SQL injection example

● Basin quic logery:

SELECT * FROM users WHERE username = ‘harsha’ AND password = 'kulkarni'
Here it searches for the user ‘harsha’ and validates the password.

● ‘ -- ’ is used to add comment in SQL.

● When an attacker inputs the following into the query,

SELECT * FROM users WHERE username = 'administrator'--' AND password = ''

This query lets the attacker in without the validation of the password since
the rest of the query has been commented.

10
Preventing SQLi attacks
● Maintaining Separate code and data.

● Parameterising the queries.

● Validate which data can be entered by comparing with black and

white list.

● Escape special characters from the input.

11
 ● Authentication vulnerabilities are some of
the simplest issues to understand. However,
they can be among the most critical due to

Broken
the obvious relationship between
authentication and security.

Authentication
● As well as potentially allowing attackers
direct access to sensitive data and
functionally, they also expose additional
attack surface for further exploits.

● For this reason, learning how to identity

and exploit authentication vulnerabilities,
including how to bypass common protection
measures, is a fundamental skill.

12
Broken Authentication example
● Permits automated attacks such as credential stuffing, where the
attacker has a list of valid usernames and passwords.

● Permits brute force or other automated attacks.

● Permits default, weak, or well-known passwords, such as "Password1"

or "admin/admin“.

● Does not rotate Session IDs after successful login (Sessions don’t
expire).

13
Broken Authentication prevention
● Where possible, implement multi-factor authentication to prevent
automated, credential stuffing, brute force, and stolen credential re-
use attacks.

● Implement weak-password checks, such as testing new or changed

passwords against a list of the top 10000 week passwords.

● Limit or increasingly delay failed login attempts. Log all failures and
alert administrators when credential stuffing, brute force, or other
attacks are detected.

14
 ● Cross-site Scripting also known as (XSS) is a
vulnerability that allows an attacker to
compromise the interactions that users

Cross-Site
have with a vulnerable application.

● Cross-site scripting vulerability normally

Scripting
allow an attacker to carry out any actions
that the user is able to perform, and to
access any of the user’s data.

● If victim user has privileged acess within

the application, then the attacker might be
able to gain full control over all of the
application’s functionality and data.

15
Cross-site Scripting example
● Suppose a website has a search function which receives the user-supplied search
term in a URL parameter:
https://insecure-website.com/search?term=gift

● The application echoes the supplied search term in themresponse to this URL:
<p>You searched for: gift</p>

● Assuming the application doesn't perform any other processing of the data, an
attacker can construct an attack like this:
https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/
</script>

● The response would be,

<p>You searched for: <script>/* Bad stuff here... */</script></p> 16
Cross-site Scripting prevention

● Encode all user-supplied data to render it safe - Kirk <script> => Kirk &lt;script&gt;

● Use appropriate encoding for the context.

● Use templating frameworks that assemble HTML safely

● Use of black/White lists for approved input from user.

17
Conclusion
● It's fair to say that the security of most web applications is still poor. Half of
sites contain high-risk vulnerabilities. However, every year we see a steady
decrease in the percentage of web applications with severe vulnerabilities.

● The average number of such vulnerabilities per application has fallen by a

third compared to 2018.

● Companies are taking security more seriously in not just public-facing web
applications, but in their internal ones too.

18
References
1. Owasp top ten 2017 by OWASP(Open web application security project)[2017].

2. A Study on Web Application Security and Detecting Security Vulnerabilities by

Sandeep Kumar , Renuka Mahajan , Naresh Kumar, Sunil Kumar Khatri [2017].

3. Web application vulnerabilities and threats: statistics for [2019].

4. Web application attacks by Enisa [2020].

5. https://sucuri.net/guides/owasp-top-10-security-vulnerabilities-2021/

19
Thank You

20