Web Application Security
Objectives: By the end of this topic, you will be able to…
- Recognize and exploit common vulnerabilities in web applications
- Intercept and modify HTTP traffic
- Use automated analysis tools
- Understand the most common OWASP risks and how to mitigate them
Client-server model and components of a web app
A web application is based on the client-server model:
- The client (browser) sends requests (HTTP/S) to the server
- The server processes the request, accesses databases if necessary, and responds with content
Typical components:
| Component | Description |
|---|---|
| Frontend | User interface (HTML, CSS, JavaScript) |
| Backend | Business logic (PHP, Python, Node.js) |
| Database | Persistent storage (MySQL, MongoDB, PostgreSQL) |
| Web server | Intermediary between client and backend (Apache, Nginx) |
| Sessions/cookies | Mechanisms to maintain state between requests |
OWASP Top 10: key vulnerabilities
XSS (Cross-Site Scripting)
Injecting scripts into web pages that execute in other users’ browsers.
- Types: Reflected, Stored, DOM-based
- Consequences: cookie theft, redirects, keylogging
SQL Injection (SQLi)
Manipulating SQL queries through user input.
- Consequences: data access/modification, authentication bypass
LFI (Local File Inclusion)
Inclusion of local server files via manipulable parameters.
- May allow reading sensitive files (e.g.,
/etc/passwd) or code execution
CSRF (Cross-Site Request Forgery)
Exploiting the user’s browser to send malicious requests to an application where they are authenticated.
- Consequences: password changes, unauthorized transactions
Analysis of HTTP requests and sessions
Understanding HTTP traffic is key to finding and exploiting vulnerabilities:
- HTTP Methods:
GET,POST,PUT,DELETE - HTTP Headers:
User-Agent,Cookie,Referer,Authorization - Request body and parameters
- Session management: session cookies, CSRF tokens, persistent authentication mechanisms
Controlled exploitation techniques
Using safe environments (DVWA, OWASP Juice Shop):
- Code injection in forms
- Manipulating cookies or headers
- Automating basic attacks with scripts or tools
- Exploiting hidden parameters
Always perform these practices in controlled environments and with authorization.
Interceptors and automated scanners
| Tool | Description |
|---|---|
| Burp Suite | Proxy/interceptor for HTTP modification, attack automation, app mapping |
| OWASP ZAP | Free alternative to Burp with automated scanning |
| Nikto | Vulnerability scanner for web servers |
| sqlmap | Automates detection and exploitation of SQLi |
| wfuzz / ffuf | Fuzzing of routes and parameters |
| WhatWeb / Wappalyzer | Technology fingerprinting |
Hands-on lab
Requirements: Kali Linux, DVWA
Lab setup: Installing DVWA
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"DVWA will be available at http://localhost/DVWA. Login with admin:password, click “Create / Reset Database”, then set difficulty to medium in DVWA Security settings.
? Before starting each exploit, click “View Source” in DVWA to read the server-side code. What specific insecure coding practice enables each vulnerability?
Instructions
Complete all of the following vulnerabilities in MEDIUM difficulty:
- CSRF — forge a request to change the admin password
- File Inclusion — include local/remote files through URL parameters
- File Upload — upload a malicious file bypassing filters
- SQL Injection — extract data from the database
- SQL Injection (Blind) — infer data through true/false responses
- XSS (DOM) — inject script through DOM manipulation
- XSS (Reflected) — inject script via URL parameter
- XSS (Stored) — store malicious script in the application
? Which vulnerability was hardest to exploit at medium difficulty, and what additional defense mechanism was DVWA using? How did you identify and bypass it?
Submission
Report showing the process of exploiting each vulnerability:
- Steps followed
- Tools and commands used
- Screenshots of successful exploitation
- Explanation of why the vulnerability exists
- Mitigation recommendation for each
Key concepts
| Term | Definition |
|---|---|
| XSS | Injection of malicious scripts into web pages |
| SQLi | Injection of malicious SQL code into input fields |
| CSRF | Attack that exploits the browser to send malicious requests |
| LFI | Inclusion of local server files via manipulable parameters |
| Burp Suite | HTTP proxy for web security testing |
| WAF | Specialized firewall for protecting web applications |
| OWASP Top 10 | List of the ten most critical web vulnerabilities |