Web Application Security
Objectives: By the end of this topic, you will be able to…
- Recognize and exploit common vulnerabilities in web applications
- Intercept and modify HTTP traffic
- Use automated analysis tools
- Understand the most common OWASP risks and how to mitigate them
Client-server model and components of a web app
A web application is based on the client-server model:
- The client (browser) sends requests (HTTP/S) to the server
- The server processes the request, accesses databases if necessary, and responds with content
Typical components:
| Component | Description |
|---|---|
| Frontend | User interface (HTML, CSS, JavaScript) |
| Backend | Business logic (PHP, Python, Node.js) |
| Database | Persistent storage (MySQL, MongoDB, PostgreSQL) |
| Web server | Intermediary between client and backend (Apache, Nginx) |
| Sessions/cookies | Mechanisms to maintain state between requests |
OWASP Top 10: key vulnerabilities
XSS (Cross-Site Scripting)
Injecting scripts into web pages that execute in other users’ browsers.
- Types: Reflected, Stored, DOM-based
- Consequences: cookie theft, redirects, keylogging
SQL Injection (SQLi)
Manipulating SQL queries through user input.
- Consequences: data access/modification, authentication bypass
LFI (Local File Inclusion)
Inclusion of local server files via manipulable parameters.
- May allow reading sensitive files (e.g.,
/etc/passwd) or code execution
CSRF (Cross-Site Request Forgery)
Exploiting the user’s browser to send malicious requests to an application where they are authenticated.
- Consequences: password changes, unauthorized transactions
Analysis of HTTP requests and sessions
Understanding HTTP traffic is key to finding and exploiting vulnerabilities:
- HTTP Methods:
GET,POST,PUT,DELETE - HTTP Headers:
User-Agent,Cookie,Referer,Authorization - Request body and parameters
- Session management: session cookies, CSRF tokens, persistent authentication mechanisms
Controlled exploitation techniques
Using safe environments (DVWA, OWASP Juice Shop):
- Code injection in forms
- Manipulating cookies or headers
- Automating basic attacks with scripts or tools
- Exploiting hidden parameters
Always perform these practices in controlled environments and with authorization.
Interceptors and automated scanners
| Tool | Description |
|---|---|
| Burp Suite | Proxy/interceptor for HTTP modification, attack automation, app mapping |
| OWASP ZAP | Free alternative to Burp with automated scanning |
| Nikto | Vulnerability scanner for web servers |
| sqlmap | Automates detection and exploitation of SQLi |
| wfuzz / ffuf | Fuzzing of routes and parameters |
| WhatWeb / Wappalyzer | Technology fingerprinting |
Hands-on lab
Requirements: Kali Linux, DVWA
Lab setup: Installing DVWA
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"DVWA will be available at http://localhost/DVWA. Login with admin:password, click “Create / Reset Database”, then set difficulty to medium in DVWA Security settings.
Instructions
Complete all of the following vulnerabilities in MEDIUM difficulty:
- CSRF — forge a request to change the admin password
- File Inclusion — include local/remote files through URL parameters
- File Upload — upload a malicious file bypassing filters
- SQL Injection — extract data from the database
- SQL Injection (Blind) — infer data through true/false responses
- XSS (DOM) — inject script through DOM manipulation
- XSS (Reflected) — inject script via URL parameter
- XSS (Stored) — store malicious script in the application
Submission
Report showing the process of exploiting each vulnerability:
- Steps followed
- Tools and commands used
- Screenshots of successful exploitation
- Explanation of why the vulnerability exists
- Mitigation recommendation for each
Key concepts
| Term | Definition |
|---|---|
| XSS | Injection of malicious scripts into web pages |
| SQLi | Injection of malicious SQL code into input fields |
| CSRF | Attack that exploits the browser to send malicious requests |
| LFI | Inclusion of local server files via manipulable parameters |
| Burp Suite | HTTP proxy for web security testing |
| WAF | Specialized firewall for protecting web applications |
| OWASP Top 10 | List of the ten most critical web vulnerabilities |
Test yourself
-
XSS: What is the difference between reflected, stored, and DOM-based XSS? Which is more dangerous and why?
-
SQLi: Explain how an attacker can use SQL injection to bypass login authentication. What SQL query would result?
-
Mitigation: For each OWASP Top 10 vulnerability you practiced in the lab, propose a specific technical control that prevents it.